Open-source projects may have different security concerns than do COTS (commercial off the shelf) projects, IT control being one. However, if development life-cycle best practices are in place, through security QA testing, open-source projects should do fine.
Per the pie chart, the problem may have its roots in lack of IT innovation. An IT-led initiative would not have a tagline of “who’s in charge of open-source security…?” When an innovative IT organization has invested up front in mapping out the use of emerging technologies (e.g. open-source), future users of that emerging technology will want to go to IT to lever IT’s existing best practices knowledgebase.
If open-source projects are happening and they aren’t following IT best practices, then it seems logical that these aren’t corporate IT-defined or led projects.