I think you're connecting two points he made that weren't connected.
On the one hand, open source projects make for an environment where bad actors could propose changes to the software that include these bug/backdoors. The benefit to the open source arena is that these changes can easily be analyzed and tested.
In Microsoft's case, the source being visible but not editable is still a real risk (assuming the bad actor is able to extract the data they're viewing for further analysis), because they can use the source to determine avenues for attack.
The fact that is was read-only does help ensure that no new attack vectors were created, but it still increases the chance of new attack vectors being found/used in the future.
On the one hand, open source projects make for an environment where bad actors could propose changes to the software that include these bug/backdoors. The benefit to the open source arena is that these changes can easily be analyzed and tested.
In Microsoft's case, the source being visible but not editable is still a real risk (assuming the bad actor is able to extract the data they're viewing for further analysis), because they can use the source to determine avenues for attack.
The fact that is was read-only does help ensure that no new attack vectors were created, but it still increases the chance of new attack vectors being found/used in the future.