Wouldn't open source enable review from people with access to the scanners prior to release?
Seems like there is a fair chance that it will mostly be an actual spike, where's a bunch of existing vulnerabilities get cleaned up and then published software mostly has less vulnerabilities going forward.
Agreed. But this depends on (at least) 1 condition: that no new bugs are introduced.
FLOSS projects keep moving forward, and it seems some project's maintainers are being swamped by PRs (some good, some bad).
Whatever allows random 3rd party to 'strip-mine' existing codebases for bugs, should also be applied to new code.