I think that the bug bounty (bigger - better) is a key here. Transparency never hurts. In the last Ethereumgate it happened to be extremely useful. All bugs in the DAO code were known before hack, because of open source. Of course there may be an argument that if researchers (Gun Sirer at all) would not disclose glitches in the code, hack wouldn't happen. I think it's wrong - there would be strong incentives to use it, instead of report.