A million eyes makes no difference when it comes to AI, they're all going to find the same vulnerabilities. Which means that one guy running AI against your closed source software is just about the same as 1000 guys running AI against your FOSS, but most of the people running against your FOSS are going to be doing it to help you, and the people who ran against your closed codebase are never going to tell you about it.

AI finding vulnerabilities and cleaning them up is going to be a budget problem for closed-source software, who have gotten used to ignoring vulnerabilities until somebody screams at them.

Closed source software isn't kept in a magical safe in a cavern deep beneath the earth, guarded by dragons. Half the people in your company touch it every day, and probably plenty of contractors.