I kind of figure almost the opposite - those commercial entities have both the resources (hopefully) for subject matter experts and auditing (also hopefully) and a strong financial interest in not having a disclosed breach (and almost all significant breaches are likely to be disclosed/discovered at some point). On the other side a small development team of individuals seem (to me) less likely to have the resources and more ability to simply walk away in case of a breach.
Because they don't offer to save your passwords the breach can always just be if someone attacks your personal computer, which is so much less likely than that someone tries to attack a company which hosts thousands or even millions password databases.
In the open source world you have at least the possibility that someone who you trust looks at the code, with the closed source you don't.
