In terms of actual vulnerabilities? Probably comes out comparable? You have more eyes which means more opportunities for code review. But that is going to boil down to how rigorous the code review is and whether it is just people rubber stamping "trusted" developers.

Its controversial for a lot of reasons but a couple years back there was the university professor and his grad student who intentionally introduced vulnerabilities into one of the big projects. I forget at what point that was caught or what project, but it happens every few years. And likely happens a lot more that we don't know about.

But mostly? When I am assessing software for a production situation, the security of an open source library versus a proprietary one isn't even on the list. Depending on the company I am investigating the contributors, but that happens whether it is a company or a github page.

What really matters to me is how critical it is and what the support model is. Because if a vulnerability takes a week to get properly fixed or results in significant development slowdowns in the aftermath: It is worthless to me. Whereas a company that is on the hook to go all hands on deck and crunch their developers (because that always helps and doesn't cause problems down the line..) to fix an issue within N hours? That shit means I don't lose any sleep when the poo hits the fan.