Open source software is built on the principle that the source code of the software is available publicly and the developers involved in the software are volunteers and build the software out of love and passion. A claimed advantage of open source software is its high security because the publicly available source code enables developers to discover and fix potential security bugs quickly. But the recent Heartbleed bug showed that it is not always the case.
The developers are volunteers and there is no monetary incentive in the development, they usually have other jobs to do to make a living, which means the time they can commit to the open source software is limited. And since nobody owns the software, nobody will be responsible for any bugs in the software. Because of these two factors, it is very hard to guarantee the quality assurance and the technical support of the open source software.
You may argue that there are many successful open source projects, such as FireFox, Ubuntu, Fedora, and Java, etc. But the truth is that each of the successful open source projects has a big organization or company behind it. The organization or company not only pays for the developers, but also hire quality assurance team to test the software, and provide free and paid technical support to the users who adopt the open source software.
In the case of the Heartbledd bug in OpenSSL, there is no organization or company who oversees and coordinates the project, and when a developer makes a mistake in the development, the mistake can be easily overlooked. The good news coming out of the recent Heartbleed bug is that some major companies decided to join force to prevent another open source security incident like Heartbleed by donating money and providing necessary technical support to open source projects.