If SolarWinds was compromised and the attackers could use that as a backdoor into Microsoft's datacenter, the problem isn't really about protecting source code. The problem is whether attackers were able to leverage that into stealing data from or sabotaging Microsoft customers. After all, that customer list contains many parts of the US government and civilian infrastructure in general, plus major international corporations.
There are two aspects to the comment though:
1. Did they access services/data as part of this?
2. Can/did they use what they got to impact customers/gain access to customer data.
The comment in the article speaks to #1. And of course, we have to take that with a grain of salt. I doubt any company impacted by this would be fully honest if there was a customer breach. Regardless, you also can't prove a negative. So all they can really say is what they did. Which doesn't mean services/data weren't compromised. Given the size of Microsoft, I find it hard to believe that every service running there has the logs/audit trail to know whether they were inappropriately accessed.
But I took the OPs comment to be focused on #2 as well. There is a very real possibility that having access to the source code could help the attackers attack customers. Having access to the source code can help in locating vulnerabilities that allow future attacks against customers/services.
Please note: the source code of Windows 10 can be requested if you are a large enterprise or a government already (as long as you agree that you won't release it). The only possible significant difference here is the lag - you can read the source code of the internal builds, whereas you can only access the corresponding source code for stable builds officially. So, if you are a government, you can actually request it for a legitimate purpose and pass it into the other side of that government if you want to.
The "risk" mentioned in the quote a few comments up, and in the context of the post by MSRC, isn't about the risk of leaking Microsoft IP. It's about the risk that Microsoft customers might have been affected. Whether or not MSRC found evidence of a breach of customer accounts/data is a related but separate question.
Please note: the source code of Windows 10 can be requested if you are a large enterprise or a government already (as long as you agree that you won't release it). The only possible significant difference here is the lag - you can read the source code of the internal builds, whereas you can only access the corresponding source code for stable builds officially. So, if you are a government, you can actually request it for a legitimate purpose and pass it into the other side of that government if you really want to.
