Counter question: are you asking because you have heard about a security vulnerability in, for example, Plone, TYPO3 or Drupal?
See, that's the good thing about open source: it can be analyzed and vulnerabilities can be found. You need not be concerned. News about open source software vulnerabilities usually come out when a security patch/release is available.
That's why it is so important to keep your software updated. If you have a 10 years old version of Plone, TYPO3 or Drupal (for example) unmaintained out in the wild, you can bet they have vulnerabilities. The same is true for unmaintained closed source CMS, by the way. It's true for any software.
Read more about responsible disclosure and zero day exploits in our article "Why safety is king".