Yes, but knowledge about code is very transmittable. The fact that someone like cpercival can examine the code, and has, means that I can just freeride on his analysis, along with everybody else who has also read it. Only a fraction of users need to verify the code for all of use to benefit. And "only a fraction of users" for an open source project can still be a lot more users than Microsoft can bring to bear, and a higher caliber of users, too.
Of course, Microsoft could do most of the same thing if they opened their source. People would read that too. But that's another issue, of course.
There's a slight problem with the "google the problem, find a patch and apply it": if you can't read and understand the patch, you're in no better (and probably worse) shape than you were before, security-wise.
In some ways having a late patch from a trusted source is better than a quick one from some random place on the net. The best would be quick, trusted patches, of course. A GPG-style web of trust validation of patches, maybe?
Typically, the guy who found the flaw and fixed it will submit it to the upstream developers which hopefully will be able to tell if the patch can be trusted or not, apply it to the development repository, eventually release a patched version, and warn vendors(mostly, Linux distributions) to upgrade. The user only has to keep up to date.
So you're (you being the who downvoted my comment) saying that you're NOT waiting for a vendor to approve and distribute a patch if it's been propesed by an outside developer? Please elaborate.
Of course, Microsoft could do most of the same thing if they opened their source. People would read that too. But that's another issue, of course.