TBH though, usually the open source "faith based" approach to security doesn't
cut it either. its easy to say "its open source, therefore anyone can check the
code" but much harder to actually find someone who has taken the time to do it....
More bluntly: the closed-source, "faith-based" approach to security
doesn't cut it. The attacks we're confronting are being launched
(in many cases) by people who *already have the source code*, and
who thus enjoy an enormous advantage over the defenders.