Though the 'law' is associated with reading source code, I think it can also apply to people using the code, and reporting errors (sometimes automatically).

They may not be able to fix it, but just noticing there is a problem is a big first step.

Sure, I'm just saying in reality it's not as ideal as it would seem. You're not going to get thousands of new qualified people reading every codebase every year, things will inevitably slip through the cracks, and at a guess open-source lines of code probably have fewer people reading them net than all currently maintained proprietary software, just because there is so much vastly more open source software these days.

This would be more in the context of FOSS, so the economics are certainly different. I am not sure qualified eyeballs are expensive in this context.

Look at OpenSSL and Heartbleed. Nobody found it and it ended up being a catastrophe. It has since seen major industry investment. The problems have been mostly alleviated.

Anyone worth their salt that spent longer than 10 minutes lokoing at openssl's source code knew that it was riddled with problems.

Regardless of that none of the many billion dollar companies that relied on it invested anything into improving it.