u realize we can check compilers too, right?
and that even someone other than the supplier can check both the compiler and the software, right?
one can check and test blackbox, but it's never quite as thorough as whitebox can be.
so you're right that being blackbox doesn't prevent finding (some) problems, but the only thing this proves is that security is not an excuse to deny users freedom. your example of ME is not proprietary for security, it's proprietary for control, which is the usual reason.

as for GNU, it's a *lot* of software, with several very significant differences. plenty of it is run locally, without setuid or network access, so its security exposure is very low, but there's enough network-connected software in there nowadays that the audits by several commercial suppliers of GNU/Linux have surely been welcome. surely the low-hanging fruit is long gone, but... it's software, it's constantly evolving, so it's likely that there are bugs, some of which could even amount to security threats. but even if I knew about any, there are more responsible ways to publish 0-days than posting about them on social media ;-)