I am not so sure that what we need from the security point of view is "more code reviews". I mean: of course more code reviews (and/or more tools to check code) would be (are) very beneficial. However, this is primarily a question of priority, not specific to open source by the way. If security (especially software security) was more of a priority at large, more authority (and more money) would be sent at it and more code reviews would occur.
I am hoping for such things to occur. However, in the meantime...
... What we probably need much more crucially is a way of preventing false security claims; or more specifically in this case a way to remember (for a long time) that this code has *not* been reviewed or taken care of from the security point of view.
Many people, especially *very serious people* (to paraphrase a famous blogger), falsely claim that security is a given on specific device, when they try to advance on their own project (or career). We need to change the way we look at these claims (and these people knowledge probably) in order to prevent them from simply waiting that a software gets wide usage in order to claim any security (or risk management as they call it).
These false claims are a pain to counter. We all know in this technical field that: either pieces of evidence are available (usually a lot) to demonstrate that some security effort has been done, either the device is not secure.
Let's change our default motto! Unless we can provide hundred of logs of activity, let's say frankly: "of course it's not secure".
(Furthermore, sometimes, this is preferable... but that would another topic.)