At least in the case of free (as in freedom) software, the vulnerabilities can be exposed and patched. More importantly (and more relevant to this discussion), software freedom also tends to make it difficult for the original developer to hide malicious features.
Theoretically, yes, but if you're going to make that claim you'd need some hard data showing that exploitable bugs either happen less frequently or are going and patched earlier.
To be fair - they didn't make that claim, just left it up to you to assume the dichotomy.
It can be (and arguably is) true that "proprietary software is inherently insecure" - without requiring an opposite statement like "open source software is inherently secure" to also hold. (The wording in context _does_ strongly suggest that was the implied premise of the implied premise tho.)
How can I obtain reliable data on non-free software when the public cannot study the source code?
You also seem to discount the possibility of _intentional_ vulnerabilities (from the user's perspective) being included in the software by its developer.
You appear to be unaware of the large industry reverse-engineering software of all sorts. You could compare comparable projects and see whether source availability correlates with fewer vulnerabilities, lower severity, etc.
Similarly, the security community has discussed the possibility of intentional vulnerabilities in opensource software for decades. Sure, someone would probably notice if you submitted secret-nsa-exploit.patch but it's unclear that someone would notice if e.g. you submitted a Heartbleed-style bug, not to mention something the NSA's dual curve backdoor.
To be clear, I've been working with open-source software since the mid-90s. I think the model has a lot to offer but it's not magic. Lazy fanboy activism doesn't do anything but lower your credibility and help the companies which are arguing that open-source isn't safe to use (or isn't safe to use without paying them to manage it).
