The optimists believe in the following and they think every Open-Source Software developer will behave the same:
There's a line of thought among some users that open-source software is more secure than commercial software because there are more people looking at the source code and providing feedback or because open-source projects can patch issues faster.
In reality, this is hardly true. And that explains why most CIOs are pessimists, especially in Singapore.
While in other Asia regions (especially South-East Asia) where budget is limited, CIOs in Singapore have relatively huge budget to work with. Cost is never in their top-priority list. Security is, especially if they are looking for suitable Identity and Access Management software.
It is seldom the best-features product that wins tenders. (I was naive few years back that I'll surely win any project if I have the best product in the market in terms of features, scalability and cost-effectiveness. I learnt my lesson. Humble now.)
I think the process in handling security vulnerability must be transparent and communicated again and again.
I just visited Apache Software Foundation site and was pretty impressed with the way they communicate how they handle security vulnerability. The steps in handling security vulnerability are listed in detail.
They even have dedicated team with corresponding email addresses for certain high-usage products.
Now, it is never enough to tell potential customers that "there is a team of smart developers helping to take a look as and when security vulnerability is found. These are the smartest people around who know this particular open-source software inside out. They are the ones you need if vulnerability is found. And by the way, this is the email address you can forward your concern to."
CIOs are not stupid, I have to say that.
They need to be convinced that there is indeed a process in place and a dedicated security team to rely on as and when critical vulnerability occurs. Turnaround time in resolving the security loop-hole is very important to them.
By the way, if there is indeed a process in place, then it's better that the same information is communicated to the public. Otherwise, who knows you are working hard behind the scene?
Communication is an art.