Why open source software isn't as secure as you think