And are bugs harder to find than carefully hidden backdoors? No-one noticed the code being added and if it hadn’t have had a performance penalty then it probably wouldn’t have been discovered for a very long time, if ever.
The flip side to open-source is that bad actors could have reviewed the code, discovered Heartbleed and been quietly exploiting it without anyone knowing. Government agencies and criminal groups are known to horde zero-days.