On what basis do you say that?
One, personal experience. Admittedly a while ago, but when involved in testing two products, both open source, the organization I was working for discarded them on the basis of security, they got hacked actually - not by me, but I found one of the hacks, it was deliberate from within the organization precisely for that reason. Did not know anything about the other, but heard the same sort of hack could be applied. The organization went to a commerical product and claimed there was never an issue with security, and I have not heard differently.
Two, I mentioned a particular PHP-App, an SMS actually, in a forum here and was immediately bashed around the head and shoulders by one of our New Zealand friends as the product I mentioned had security holes you could drive a truck through, and he recommended fixes to the manufacturer, but they had not been implemented at the time of writing. I didn't mind, really, learned something new and I have to bow to his far greater expertise. I also seem to recall one of our OU friends making similar comments about another product that was mentioned here in a discussion of interest to me at the time..
I may no longer be as in touch with these things as I was, but the point is the same, many Open Source products do not seem to pay as much attention to security as they could. I no longer have the skills to hack anything, not that I was ever any big fan of, or skilled at, hacking, but I am still very much aware of the damage and/or embarrassment that it can cause.
And in my own defence, I also said: "Moodle does better than its competitors in that security issues are recognised and responded to on a more frequent basis than poprietal software can afford to achieve. And this could be true for more Open Source projects..."
Security of any program is an issue, and I suspect a lot of the commerical software products emanating from the Dark Side are a lot larger than they need to be because of poor security, (read ordinary programming practice) that has been patched and repatched and re-repatched and then patched again.