Closed source products are really well known for investing in security and keeping tech debt to a minimum. This is why no commercial closed source product depended on something like log4j without thouroughly auditing it first. Oh wait...