You said: Most attackers focus their efforts on commercial software like Microsoft Windows, but commercial software is safer.

That doesn't make any sense. It seems like you're contradicting yourself.

With closed-source "commercial" software, it may be difficult or impossible to review and test the software.

Open source software is not automatically "safer" than commercial software. But open source software encourages peer review. You can examine the software and decide for yourself if it is safe or not. With proprietary software, you only know what the vendor tells you -- and no vendor is going to admit that their software may be buggy and insecure.

This is like asking, which car is the safest? To answer this question, one would have to go through demolating(crash testing) many cars. There is however another way. You create a list of your requirements, you embark on a search to find the "ideal" car based on your requirements/needs. After purchase, you proceed with taking your car for inspections. The car is then brought up to a standard (safe enough for driving). Then your car, based upon your requirements(which your car is bought upon) is safe.

Then again, the safest car would be one that does not dent or crunch when invloved in a an accident.

I would assume that most attackers focus their efforts on the most popular (that is, most commonly used) software. Therefore the distinction between commercial and open source is not important.