The short answer is that open source software is as secure or more secure (in general) than commercial software. A good summary of the relevant issues can be found in this article from IBM: The security implications of open source software. The increased security of using open source was cited as one reason the White House switched to Drupal.

Drupal's API and default configuration are designed to be secure when used in their default modes. Issues like Injection, Cross Site Scripting, Session Management, Cross Site Request Forgeries, and others all have standard solutions in the Drupal API. For a more detailed review of the topic please read the Drupal Security Report.