Well, the 1000 eyes approach has worked with other open source, mission critical software, like Linux, which also doesn't have an official testing suite. If you have enough people invested in making sure something works, there's a strong incentive to uncover bugs now matter how obscure.

Security's always going to be an arms race in software.