> In reality, Android is suppose to be “open” but between Android, iOS, and Windows, the Android ecosystem has the worse track record of both correcting bugs and getting the patches out to users.
The process of identifying bugs and the process of distributing patches are two separate things. And there is a very specific reason the "Android ecosystem" is slow to distribute patches -- an important piece, namely the hardware drivers, is not open. The reason you can't install the latest stock Android with all the latest patches on your device is that the device is stuck with proprietary blob drivers that aren't compatible with newer kernels.
And the operating system with the best security record is unambiguously OpenBSD.
> In the real world, no one is voluntarily going through each line of either Android or iOS looking for exploits out of the goodness of thier hearts.
They don't have to do it out of altruism, there are plenty of self-interested reasons to do it. Security researchers build their reputations by discovering vulnerabilities. iOS jailbreaks are valuable. Some companies that use Android in their own products pay to audit the code that runs on them (and incidentally on everyone else's devices). Programmers that discover their device unexpectedly doing something "weird" are more likely to investigate, and more likely to succeed in discovering the cause, when the code is available.
> And that “logic” falls apart with one widespread example - the HeartBleed bug that was in the OpenSSL implementation for a year and a half.
https://www.cvedetails.com/vulnerability-list/vendor_id-26/p...
Take a look at how many of those also affect Server 2008, implying they've been there for at least a decade before being discovered.
> The number is also “non zero” of bugs found by third parties in closed source software....
And how many of those were discovered specifically because the source code wasn't available?
