BUT… of course this is true only for big projects which actually do have many contributors.
It’s not always that easy. OpenSSL had the heartbleed vulnerability for two years before it was discovered and patched. Log4j also had log4shell unnoticed for a while. These two projects are both widely used.
On the other hand, we don’t know to the same extent which serious vulnerabilities have existed (or still exist) in closed software. Heartbleed and log4shell got huge attention because they impacted open source software. They would probably still be left unpatched if they were in closed source software.