So you would prefer to keep open exploits around and approach with security-by-obscurity?
Somehow I think Apple can muster the resources to respond to vulnerabilities in exactly the same way you’re claiming they respond to open source exploitation. You may have a point with much smaller projects, but this is apple and they can easily outfund exploiters before there’s mass exploitation according to your analysis of increased attention.
That's not how it works. I think you have little idea, if any, how easy it is to find exploits if you had a source code vs if you didn't. With source code you can immediately see the conditions that will cause buffer overruns, for example. One of the huge target has always been jpeg decoder code in Chrome. If you can somehow figure out conditions that will result in buffer overrun, you will have exploit just by creating artificial jpeg. Your victim simply needs to visit your webpage with that jpeg which even can be pushed by narrowly targeted ads, Facebook etc. Building such exploits is much harder to accomplish without having source code. This is rather outdated example but think about possibilities in JavaScript engine, HTML rendering, graphics drivers, OS calls, extensions, APIs etc. When you have 10 million lines of code, you almost inevitabily have some exploit. Such zero day are often sold for 10s of millions of dollars. Its much much harder to find same vulnerabilities without having source code.
Your argument that somehow Apple will do better than these black hat guys is also flawed. Apple can higher N security experts but Apple will always unlikely to match in number of firms and state agencies who can hire M >> N in aggregate. Think of Apple running centralize effort with N people while whole world running distributed attack every day every hour with 10X more eyes and time on hand. Also it has been very well understood within security professionals that source code gets far more scruitiny from black hat then white hat guys.
Finally, remember that people don't update their systems for months and even years. You should know that Bezos iPhone was hacked by an exploit developed by a black hat firm which ultimately cost him $40B in divorce. Think about that for a second. A single software vunerability cost was $40 billion, more than market cap of many companies and GDPs of many countries. This is a guy who literally owns huge chunk of public and private infrastructure, has the best of the best security experts at his finger tips and he got hacked.
I doubt anyone will argue that it’s easier to find exploits in closed-source code, but it’s really not that much more difficult. Like, maybe an order of magnitude harder at most. To a nation-state, does it really matter that a zero day chain costs $100,000 rather than $1,000,000?
Somehow I think Apple can muster the resources to respond to vulnerabilities in exactly the same way you’re claiming they respond to open source exploitation. You may have a point with much smaller projects, but this is apple and they can easily outfund exploiters before there’s mass exploitation according to your analysis of increased attention.