There are a number of advantages: Besides the obvious allure of low-cost, highly customizable software, there’s a timeliness advantage to open source. Specifically, when we discover a significant security risk to the organization, the time to address that risk is right now: The attackers won’t wait for us to get budget, engage legal to review a purchasing contract, haggle with a vendor’s salespeople, etc.
There’s also, in many cases, a quality advantage: Open source tools can be — and often are — not just equivalent to commercial products. Sometimes they’re flat-out better.
So we’re probably used to thinking about open source software for security, but we’re maybe not as used to thinking about the security of open source.