I think it can be a reasonable assumption that the government has access to the code, while it is not being open to the public. There is a difference between "visible to everyone" (i.e. open source) and "visible to selected parties".

Having a different company do contract work does not require the source to be open, it just requires that the government owns it (as they get to choose what to do with it then).

Also, if no company is on a payroll because they are stuck with better projects, what makes you think someone that is not familiar with the code base would accept a merge request from an unknown party? Or if it was accepted, what makes you think this wouldn't immediately be abused to create loopholes and vulnerabilities?