This is only a partially-accurate description of how most open source projects work. While code review of the core developers is rare, patches from outside contributors typically are scrutinized before being applied. The curl vulnerability was introduced by an outsider's patch so I am troubled that it wasn't noticed before being committed.
I guess I'm just idealistic, but I would think for something this security sensitive or important (see "Fixing" TWO in glibc), they would have code reviews before anything could be committed.
In this case, a automated system rejecting anything that uses the non "n"(strcat vs strncat, etc.) version of the string functions in C would have worked.
If you expect code reviews and automated tests for an open-source product that's developed in spare time for no money, you can go to this page (http://curl.haxx.se/donation.html), click the PayPal button, and be very very generous.
