The Debian OpenSSL bug was and is highly embarrassing, yes, but the fact that the source was open was absolutely instrumental in its discovery. It's also difficult to find a better example of the right way to react to such a bug.
Certainly open source benefits only so far from the review it receives. The NSA could conceivably submit a patch to openssh to Debian that once again subtly breaks security.
On the other hand, audit is possible, which is a hell of a lot better than the alternative, limiting their options to underhanded subversion is again better than the alternative, and to my knowledge nobody has actually ever picked up on a case of this happening (while we do know they have had the security of close-source software subverted).
