| Because the system is known and people can see the source, holes tend to | be discovered quicker and fixed. A proprietary closed source product may | have all sorts of holes - you simply don't know - and have no way of | closing them, relying on the supplier to produce timely fixes (if at all).
To elaborate on this:
Closed source does not prevent people from discovering holes or even fixing them. But, not having source means whatever you do is a big binary hack and very ugly (and very hard for the average programmer to do; worse for the average system administrator). To the hacker, ugly is an advantage. Exploits don't use source code (historically I have seen a couple that do, but that's 2 out of tens of thousands).
Closed source: Hacker: a little slower to make an exploit Admin: a LOT slower/harder to fix it, forcing vendor dependence Open source: Hacker: a littler faster to make an exploit Admin: a LOT faster/easier to fix it, with the advantage of a community that can do it, not just a vendor
The embedded scenario will be harder to work with due to the need to redistribute the fix since embedded users won't generally be in any position to deal with it. But embedded also has the advantage of not having to deploy a full-blown host system, focusing instead on the exact application intended. It's probably a break-even and depending on the application, perhaps a net advantage.