Two more dumb ideas which ought to be on this list:
1. "Given enough eyeballs, all bugs are shallow". The fact is that most eyeballs are useless because they're not capable of seeing the problems. Some bugs simply can't be found unless the person looking for them has particular technical expertise. (Side channel attacks against cryptography is my personal area of interest, and history indicates that at least 99.99% of eyeballs aren't useful when it comes to finding these.)
2. "There's a theoretical vulnerability, but nobody will be able to exploit it in practice." History is full of "purely theoretical" vulnerabilities which have turned out to be entirely real. This is why mathematicians (or people with mathematical training, at least) tend to do well in the area of computer security: If you can't prove that your code is secure, it probably isn't secure.
I think you've mis-interpreted "Given enough eyeballs, all bugs are shallow".
When you have more eyeballs on a project, there is a higher chance that some of those eyeballs have the technical expertise necessary to find/fix a bug. For a proprietary/commercial project, the pool of talent available is only what you can afford but for a free/open-source project, the pool of talent available is free abd very very large provided that you can attract it.
1. "Given enough eyeballs, all bugs are shallow". The fact is that most eyeballs are useless because they're not capable of seeing the problems. Some bugs simply can't be found unless the person looking for them has particular technical expertise. (Side channel attacks against cryptography is my personal area of interest, and history indicates that at least 99.99% of eyeballs aren't useful when it comes to finding these.)
2. "There's a theoretical vulnerability, but nobody will be able to exploit it in practice." History is full of "purely theoretical" vulnerabilities which have turned out to be entirely real. This is why mathematicians (or people with mathematical training, at least) tend to do well in the area of computer security: If you can't prove that your code is secure, it probably isn't secure.