The only exception is if there were significant changes to the code after it was closed given that won't be read by the attackers or the LLMs, if you are using them locally.

They can use LLMs internally to find bugs privately without revealing the source code, a step ahead of the attackers.

We have just seen the Copy.fail disclosure disaster that was discovered by someone using a LLM and released a zero day without a clear fix and descended the community into confusion / panic.

Given that powerful LLMs exist both open and closed weight models, open sourcing everything for the sake of it makes less sense and there has to be a balance especially when it is used by hospitals.