Linus has said a lot of stuff over the years and not all of it was on the money. Still, he did a lot of good and I'm very grateful for it, Linux has been my daily driver for almost two decades now (basically from when I stopped using SGI because there was no point any more).

But bugs in large codebases will always be a thing, and even though the eyes looking at FreeBSD are very, very good eyes, indeed there are not enough of them. The more interesting thing here is that they picked a really hard target. If they had done the same with Linux I would expect the number of bugs to be quite a bit higher.

That "many eyes" theory has failed us many times. For example, OpenSSL's heartbleed or the recent React RCEs.

”Most bugs are shallow” is more like it. One could also argue about the number of eyes actually looking at certain parts.