Its not like there are people analyzing the entire Linux kernel alone…. Although maybe there are. But there are thousands of people looking at separate parts of it. So there’s a decent likelihood that each file and/or code line has had multiple sets of eyes on it.

It really boils down to trust. You have to place trust in the commercial closed-source products too. How likely is it that each developer’s code is being analyzed line by line to ensure they didn’t drop in a back door? Or checked for overlooked vulnerabilities? Security checks take time and money. Companies want their product on the market generating revenue, not sitting in development being scrutinized for obscure potential abuses.

At the end of the day a popular open source project is likely to have had more eyes on each piece than a privately developed closed-source project. Its not perfect, but neither is private development.