I had a feeling I might get called out on that... I meant that for all practical purposes, all software is theoretically vulnerable. Of course verifiable computing is a thing, but wildly impractical for most applications.
Meticulously maintained is not even close to being invulnerable. Everyone would like to say they meticulously maintain the projects they work on, but it would be incredibly arrogant to say that you couldn't conceive of ever unintentionally introducing a vulnerability.
Imagine if your next surgeon had this sort of attitude about the cleanliness of her tools, the operating theater, and her staff's equipment. Cleaning is hard, maintaining cleanliness is hard, and pathogens evolve in amazingly clever ways. Perhaps, it will always be possible to propose a theoretical flaw in the procedure.
This is no reason to give up though! It is no excuse for not following best practices, consistently! That is malpractice, when done by a doctor! And their field is at least as complex as our own.
I don't know why you think I'm advocating that attitude. I'm not disagreeing that open source is a good thing for security. I'm just saying it's not the silver bullet that some people are claiming it to be.
I would be equally concerned if my surgeon said "I already know the best possible techniques for surgery. No point in investigating further or exploring better methods."
Meticulously maintained is not even close to being invulnerable. Everyone would like to say they meticulously maintain the projects they work on, but it would be incredibly arrogant to say that you couldn't conceive of ever unintentionally introducing a vulnerability.