Well, thats a fairly common argument and point of view that is far to simplistic to be realistic. Theres a whole host of people in pmdev, many of them quality programmers, in addition joining pmdev is mostly a matter of being of sufficient level on the site (to show that you are "responsible" in some way) and that a god has approved your membership. And thats about it. So the bar we set for who can see the code is fairly low. Having said that the way the code is structured its difficult and time consuming to do a proper security analysis so preventing random script kiddies with too much time on their hands the opportunity to find issues is merely prudent.

Ultimately the truth is that secrecy and information control are effective parts of any overall security picture. Relying on any one aspect of the security portfolio to secure your site is unwise, using them all together is not.

Ask yourself, if you were in charge of a military base would you publish the blueprints and engineers diagrams and specs on the bulletin-board outside? Of course you wouldn't.

Anyway, if it were possible to conduct a propper security review of the current code base to satisfy the gods paranoia then I suspect there would be no argument about opening things up. Until then however its gunna stay more or less "need-to-know". This isnt the codebase to a kernal being distributed widely and tested severly before it gets installed for production use, its a production web site with a reasonable load on donated equipement of interest only to a few interested perlmonks and possibly some crackers so IMO the benefits of an open code base would come at a cost we cannot afford.