They did end up banning all of the University of Minnesota over trust issues. Everything should be carefully vetted, sure, but it's always possible something gets missed; a good backdoor is indistinguishable from a bug, and those definitely end up getting merged. Any merge is a "risk", so to speak. It's a matter of risk management: a patch from Greg Kroah-Hartman is very unlikely to contain an intentional backdoor and a patch from Kim Jong-un is more likely to contain one, and with lots of shades in-between those two extremes.
Worse, you can be quite sure that a patch or series of patches from "Kim Jong-un" will introduce a bug (or rather a well hidden corner case) leading to a backdoor. It can be assumed that there's a hidden incentive behind the patches.
