I find it to be quite the opposite - Closed source software tends to have way more security holes than OSS. BY FAR. Closed source relies upon obfuscation and has significantly less programmers at their disposal. Open source and many eyes naturally results in more elegant code and far quicker discovery of exploitable code. I don't use ANY closed source programs anymore... that I can think of... Other than Windows on some boxes, and the antivirus applications it requires BECAUSE of it's closed source mentality.
And 'merging changes'? Most programs nowadays handle their updates automatically - You may have to hang out on the application's forum for a while to see if there are problems, but other than that, it is much the same as closed source, with the only difference being that you, the end user, have the option of actually SEEING the changes, and can go right to the source code to do so. You don't get to see the crappy code hiding behind closed source - If that gives you some feeling of 'professionalism', let me assure you that is not the case.
It has more to do with the target's market share than the sourcing model. Hacking Mac OS when it was 9% of the market share wouldn't make news. Hackers went after Windows because that made news. Interestingly, now that Mac OSX is getting to he 30% share, it is coming under attack. In the mobile space, Android is the market leader. So it gets teh attention target on its back.
The difference is that Android's internals are open for analysis. Yes, there is a large, faster moving community that is evolving the code base quicker than a big company minded Microsoft. But there is also opportunity for someone to find adn exploit the hole rather than fix it. This was exactly what happened with the Android game malware that sent your contacts adn personal information to a server in China a year or so ago. And that fast moving dynamic is changing as well under Google, who is becoming the big company minded beast. They will become "the man" to the economic politics driven hacker. And to the attention seeking hacker.
My comment on merging sources was that unless you personally review source changes to both the OS and the apps you use (compiling them all locally), you are placing some implicit trust in the open source community. Nothing more.
It is a matter of where you personally want to place trust and accept risk. Just don't be lulled into believing the open source community is fully trustworthy - remember, many of the Windows hackers are part of the open source community.