We also have mandatory security training for all developers. Turning every developer into a security reviewer helps a lot.

It's nothing compared to the knowledge I got by working in app sec or teaching network security, but it's pretty good for increasing the base of knowledge among general developers.

... that still isn't "many eyes" on any particular piece of code, in the sense of the saying, though.

Just because Eric S. Raymond says that's how security bugs should be found doesn't mean that's how security bugs are actually found.

And that is an interesting point; and it is specifically the point the G*P was making, which was obscured by saying, "Oh, but there are still multiple eyes here."