The security flaw is inside a library that has been released under a bsd style license (otherwise, the "goto fail;" hilarity would never have ensued). You're free to download the source of the 10.9 library, patch it, compile it and replace the vulnerable binary with the one you fixed.

Apparently someone tried it and the publicly-available source is incomplete and doesn't build.

I think what's interesting is that this code is open source, in code if not development model, but it failed the law that "given enough eyeballs, all bugs are shallow." Until there was an inkling of trouble, at least, and then it was quite shallow indeed. So I wonder if white hats will now look at opensource.apple.com more routinely, because I'm sure black hats are there already.

One trouble with that is that the "source dump" style of open source that Apple engages in doesn't really attract eyeballs very well. Sure, you can go read the source, but it's hard to do much with it. It's hard to tinker with it, since Apple doesn't provide any good facilities for installing the stuff into the system. There's no place to send patches. You can send in bug reports if you find anything, but why would you bother when it's so hard to contribute code?

If you're interested in security and hacking on security code, OpenSSL would be a much better choice just because you can potentially become part of it, not just an observer.

If the system were to break, and nobody was around, you'd only know there was a problem when you were so compromised that your machine failed.