>>That's what I believe he's saying.
And lo, your faith shall be rewarded by confirmation. Yes, that's the essence of it.
When I mention the "number of eyes", I'm not talking about the user base, so much as the developer base. Wordpress has a large dev base and with funding from Automattic, has some resources to put into security review. As I mentioned, I don't think it gets the priority it does in some other open source projects, but it gets more attention than Bobby's Great New App (typically, unless Bobby is a security specialist).
Of course, if you have a top-notch professional security team vetting your very small code base, you'll end up with a secure app at a very high price and unless people have big budgets and need HIPAA or a high-level of PCI compliance, they don't typically spend for it.
OpenBSD is a lot less popular then Linux... but OpenBSD is probably more significantly secure than Linux
I don't think you need a "probably" in that sentence. I don't know anything about OpenBSD, but FreeBSD is unquestionably more secure if run right than Linux.
But, I would argue, this is not a question of code quality, but of architectural decisions.
It's more analagous to WP choosing to give you an interface that allows you to edit PHP files, whereas almost nobody else does. So on WP install, if you have one dumb user with a weak password and privs to edit files via the admin interface, the hacker owns your server. With Drupal, if I lock down SSH to only allow login with public/private keys, the challenge is much greater and there's only so much someone can do if he cracks into the CMS.
Similarly, FreeBSD has the concept of "jails" which allows separation of functions (so someone who owns your web server, doesn't necessarily have access to server admin or the DB and vice versa) which is harder to achieve in Linux.
For a cool rundown of differences between a Linux stack and a FreeBSD-based "Armored Stack" look at the table near the bottom of this article:
...] (I have the print copy fo this article and every few months give it another read).
The article is by the guy who ran ha.ckers.org, which was hit by 1,000,000 attacks per year for the seven years he ran it, without getting compromised. That's some serious armor!
So in short, as I think about it more, I agree with you overall - if you design your custom app with security in mind and know what you're doing, it will be more secure than wordpress because you'll be in a position to make architectural decisions that encourage a secure design. No amount of code review from any community can compensate for a less secure architecture. So you're definitely right there.
My only caveat is that with a given architecture/feature set, I'll take the app with a bigger dev base and a bigger security team. But you're quite right that if you start from fundamentally different architectures like FreeBSD vs Linux, you end up with a very different security environment and your Wordpress = Linux analogy is well taken.