log4j (2) demonstrates the tremendous success of the open source development model (and not the opposite, as some might believe because of the recent vulnerability).
A huge number of companies use log4j in their products. What else spells success better?
However, what those companies failed to do is to properly manage their risk, here the dependency on open source. That’s on the companies, and not on the open source model, which works just fine, thank you.
Bugs happen, and exploits also. Sooner rather than later, there will be other bugs and exploits, in open source packages and (increasingly less so) closed software. The problem and the risks won’t go away.
What counts is how companies manage this risk. Maybe the log4j vulnerability could have been avoided if companies had pooled money and funded its development better. Or maybe not. This again is not a problem with open source, but with the companies not managing their dependencies right.