Not just government security and intelligence contractors around the world have source, but all Microsoft security partners are informed of the details of flaws discovered in Windows sometimes up to 6 months in advance... that is why I find it quite likely for some, perhaps many of the "undisclosed" vulnerabilities you can see at the Zero Day Initiative to already be leaked to malicious actors..
Your assertion that the efforts of government security researchers do not put effort into FOSS does on the face of it seem unlikely given the how dependent those agencies are on the code (not to mention vulnerability discoveries and even code contributed)... I don't see how others also examining the code would discourage a government from reviewing the code they are using.
The NSA however in this case has gone off the rails, since they are believed to have been aware of the heartbeat bug but elected not to report it, calling into question the integrity of all government security agencies.
I'm not sure what your point about government security agencies using OpenBSD is intended to suggest, clearly this is also FOSS software, and a complete BSD system shares a great deal of it's heritage and core software with Linux anyway! OpenSSL is a BSD project for example.
Finally, I don't see what any of this could do to change the residiual defect density as shown in the chart above, or the overall defect density as observed by +Richard Beck
above... or indeed the average defect severity which in my experience is also sharply in favour of FOSS.