My point is not that open-source software is invulnerable. It’s that security is based on trust. If you trust Apple, then you base your security assessment on your faith in Apple (backed up by warranties, user agreements, whatever applies). If you’re a major vendor to Apple, then your faith in Apple might be backed up by SLA, a contract, or some strong legal instrument. If you bought a used iThing off Craigslist, then Apple owes you nothing and you have no reason to trust them at all until you enter into a business relationship with them. You almost certainly won’t lose anything by trusting them, but you have nothing to back you up if they don’t treat you the way you expect.
I trust Debian because I can inspect the code, because the developers are responsive to the community (they are part of it) and because I know how the development environment works.
You point out that Debian contains “70+ million lines of code”. That’s an entire operating system (actually several different ones), including ports to various architectures, and a huge amount of user software. Debian supports more architectures than Microsoft and Apple combined do, and user software is distributed in the same archive as system software, so yeah, that seems like a lot of stuff. However, my Debian system doesn’t have every package for every variant of every kernel on every architecture installed on it.
The little it does have is still too much for me to read in my lifetime, even if I was sufficiently expert in C, C++, Lisp, Scheme, Tcl, Perl, Python and Java to read other peoples’ code, which I’m not necessarily (only sometimes :^) I don’t feel I need to read it, because a minimum of three other people have done so publicly, and I can go back and look at the progress and results of that review if I want to.
I don’t read source code to find vulnerabilities in my system. I know some folks do read source to find exploits, but I’m pretty sure that most exploits are found by experiment, by the use of fuzzers and other runtime tools, and by accident. Most exploits aren’t obvious in the source, or they’d be patched before they get built, no?
I don’t trust Google Play nor Apple’s app store, because I have no idea how the software is reviewed before it’s distributed. I suspect that in Google’s case it’s not reviewed at all (except after the fact, by user reviews- it’s not nothing, but it’s not enough.) I regard binaries I install from Play as untrusted unless they are signed by an entity I trust (I trust Google to sign off on Google things, but not third-party binaries, because I don’t know that Google won’t sign things without checking them out to my satisfaction.) I do trust F-Droid in this way, because F-Droid is all FOSS.