Isn't it the opposite, though? The whole thing was caught precisely because it was open source. Sure, you can argue that the vulnerability was introduced by a contributor, but what prevents the same thing from happening in a private repository, perpetrated by an actual employee? Especially if you consider that many vulnerabilities can be introduced with code more likely to pass as legitimate mistakes.
Or think about the closed-source products that use open source code (basically everything these days) - had this targeted versions of xz building on Windows only it might have lain dormant longer (not sure this attacks would have been useful, but something analogous could be).
But it wasn't caught because it was open source? It was caught basically by chance by an engineer using the distro who admits they only caught it because of a series of coincidences.
