I have been trying to convince a friend who runs a small business with a very static website to switch to Drupal. His impression - and he got the same thing when he asked a friend about it - is that anything which is open source can't be all that secure, because people have access to the source code. I told hime that access to the code isn't so important as encryption, but had to admit it isn't my area of expertise.
Is there anything published on the web, preferably from an independent source, that addresses Drupal and security, particularly from the angle of open source? Any comments form folks here on how secure drupal sites are compared to those that might use a priorietary CMS?