I don't know. To me it's simply an explanation of what has happened. I think its exactly what I would have written if I was in their position. And show me the one company that has audited all source code of all used open source projects, at least in a way that is able to rule out complex bugs like this. I have once found a memory corruption bug in Berkeley DB wrecking our huge production database, which I would have never found in any pre-emptive source code audit, however detailed.

Edit: On second thought, maybe they could have just written "external library" instead of "open source library".