That is not the concept of open source. No single person can verify even one huge program like Firefox. The verification comes as community. Once someone find a vulnerability, that person can speak about it. It just need a single person to create attention. So even if you do not verify a single line of code yourself, you don’t need to trust a single entity (like company), you can trust that there is at least one person in the community who will find the issues.
And of course every software has issues. Read this article about the SSH-vulnability a developer implemented intentionally. But what do you do if such a developer works for a company and nobody can read the code? It will not be found in a bit over a month, but maybe after damage is already done and people got hacked. Open source is not better, because I can verify it myself, but many eyes see much more.