Since this is more a set of general questions than something Solus specific, I'll answer more generally.
Someone once said to me that the most secure computer in the world is one that is never turned on and used by anyone. There's a fair bit of truth to that. As soon as anyone has access to your computer, physically or remotely, any vulnerability is fair game. In that sense, the best we can do is focus on fixing vulnerabilities where possible and mitigating them where not.
A1: Open-source OSes are just as susceptible to attack as closed source systems. The difference is that in open-source we can all work together to make things more secure, whereas closed-source is at the mercy of business priorities and staffing. Putting the source out into the wild means more people can look for problems in it with the goal of fixing or exploiting the system, so it's a double-edged sword.
A2: It's impossible to go through the whole source code of everything in a modern OS. They are too large for any one person to see where all the vulnerabilities are. So even if you manage to catch loads of little vulnerabilities in large pieces of the code, inevitably you will still miss something in the bigger picture. That said, of course security experts still do look for vulnerabilities and create CVE reports for people to work on fixing them. This is nothing new.
A3: Sometimes it is best not to report these results, so no, not always. You have to understand that the more information you disclose about a vulnerability, the more that undesirable actors are able to achieve.
A4: You are missing the point. No computer system is 100% safe to use. You can engineer the hell out of it, catch every bug, plug every hole and still end up getting compromised by the actions of the people who use the system. Any claims about one OS being more secure than another are pointless.
A5: All of the Solus Editions are built on the same core software repos. The only thing that changes is what packages are installed by default. The reason that we claim that we are secure is that we do everything we can to patch CVEs and keep software up-to-date so that we minimize the potential attack surfaces. Because of our small, focused repository we are able to do this quickly and with only a few people.
Lastly, you seem to misunderstand what we mean by "from scratch" and how Linux distributions are built. At the end of the day, about 90-99% of all of the software that exists in a Linux distribution repository was not written by the people who maintain it. We distribute our own builds of that software to our end users. When we talk about Solus being "from scratch" we are not talking about all the software that we ship. We are stating that we do not have an Upstream where the packages come from. An extreme example of that might be Elementary OS being based on Ubuntu which is itself based on Debian. Solus is at the lowest level like Debian. And like Debian we have our own tools for building, distributing, and installing packages. The key difference between us is the configuration of the software we build, both of the compilation process itself and the default configuration settings that we provide.