The Debian/SSL incident and Open Source software

As you may have heard by now, Debian introduced a distribution level patch to OpenSSL that pretty much completely wiped out the PRNG, with the result that it generated predictable keys. Plenty has been written about this, but it's worth noting that this bug has been hanging around for two years and was far from hidden. On the contrary, there was an outstanding bug documenting the "problem" that resulted in the patch and it wasn't hard to find the corresponding fix in Debian SVN. So, here we have a fairly obvious (to a security expert) error in a section of code that is well known to be security critical, specifically called out in the bug database and yet it took two years for someone to notice. What does that say about how difficult it would be to insert and hide a backdoor in a piece of software?