the security issue comes when your vendor starts to use code/theme/plugin/addon outside of the open source framework. The actual framework isn't the problem 99% of the time since it gets actively patch and there are a community who actually work on it as compare to a private software that has a few staff to work on it. The real problem comes when issue arrival and they have no one to blame and point to 'open source system'.
custom build or use open source ?, which overall better ?