It can be shown that the probability of a security failure after t hours of testing is approximately K/t for some constant K. This implies that the mean time between failures (MTBF) is about t/K after t hours of testing. So, security improves with testing, but it only improves linearly. One implication is that to ensure an average of, say, 1,000,000 hours between security failures, we must test for (on the order of) 1,000,000 hours. Suppose that an open source software project has a MTBF oît/K. If this same project were instead closed source, we might suspect that each bug would be twice as hard for an attacker to find. If this is true, it would appear that the MTBF in the closed source case is 2t/K and hence the closed source project will be twice as secure for a given amount of testing t.
Discuss some flaws with this reasoning.