I see it in the opposite way, security by obscurity is worse than no security at all.
I agree. Other strengths of open source is that users can fix issues they find themselves if they have the necessary skills, also there is less chance of being stuck on an obsolete version with known security holes because of financial reasons or cessation of vendor support. That said, pfSense is going to drop support for the i386 platform (Intel 32 bit) in the near future, as there are few still-worthwhile hardware devices that will not run in 64 bit mode.
Part of the strength of pfSense is that it is built using well-regarded open source foundations:
Operating system: FreeBSD
Firewall and traffic shaper: pf (which FreeBSD committers have ported from OpenBSD to FreeBSD)
IPsec: the FreeBSD IPsec kernel code (based on KAME and OpenBSD code) and strongSwan IKE daemon
OpenVPN: the reference implementation
PPP: FreeBSD kernel netgraph with the mpd 5 userland daemon handling ancillary tasks
Web server: nginx (in recent version of pfSense)
Responsive UI (pfSense 2.3 onwards): Bootstrap
Modularisation / upgrade handling (pfSense 2.3 onwards): FreeBSD pkg
The 'glue' code is pfSense is PHP and was originally forked from monowall. This is of variable quality and does not follow best practice on privilege separation or modularisation. These issues are typical of software products that have evolved rather than being a clean implementation of an engineered solution. The intention is to rewrite the entire system in python with clear and rigidly enforced client/server separation. As the configuration is held in a single XML file, upgrades between versions or even across technologies are easy to implement.
Any risks from the current glue code are mitigated by the good quality firewall implementation and the strong suggestion that the user interface is not made externally accessible. If remote management is needed, a VPN can be used to gain access to a local network with access to the user interface.
I have high regard for many commercial products, including those from Draytek and Cisco, but you have to take much more about code quality on trust in a closed source product.