> The concern is it would be a security risk if anyone knew how the application worked

Uh, that's the classic security through obscurity (STO) defense on the face of it but it sounds like a cop-out to not open source it. If one desires not to open something that's fine, but if they misrepresented the reason for doing so would be bullshit.