Research by the U.S. Department of Homeland Security shows that Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code.

The department has been reviewing and tightening up open source code's security and looking at Samba, the PHP, Perl, Tcl, and Amanda. It found and reported flaws in 7,826 open source project defects, which have all been fixed.

Linux came in with far fewer defects than average, with version 2.6 of the Linux kernel having a security bug rate of .127 per thousand lines of code.

More here.