There are actually three states:

- A bug exists and nobody knows

- A bug exists and some people know

- A bug exists and everyone knows

As an outside observer, there is no way for you to determine if a bug is in state one or two, you only know once it's in the third state.

Which is the entire problem here. Having the bug be known to everyone is a vastly improved state over being known to a few. Yes, the bug being completely unknown is better than being known to a few, but there is no way to ever know if that's the case.

From the outside, known to none and known to a few are indistinguishable, and thus both states are the worst possible case. The only remedy is to make the bug known to everyone such that it cannot be covertly exploited.