The theory has long been that package managers (and potentially other sources of FOSS) were potentially "more secure" and/or "more trustworthy" than commercial software because more people's eyes have been on the code and there are more people finding issues.
Have any major security companies done and published a full study of the actual security differences between these software source, to include things like the rate at which bugs are found and the rate at which those [major] bugs are fixed?