It doesn't matter whether you call it a "study" or a
"survey", if it's depending on being able to speak to people on the phone it's worthless, because that is not the most efficient way to communicate with developers *whether at an open source project or not*. I'll bet that they never spoke to the developers at the projects that did have a corporate structure, either... well, you know, the developers are all you get.

As for costs, the costs of dealing with software problems (whether security related or not) are orders of magnitude less with open source projects. A lot of the time you can include a patch to fix the problem with the problem report, and you don't have to spend expensive "phone tag time" communicating with them: that "talking to someone on the phone" part is a COST, not a BENEFIT. AND you can actually fix them, if the project doesn't. I've got open problems with Microsoft that are over 10 years old, that they STILL haven't fixed, that they will NEVER fix.