No, postfix hasn't had a single valid bug found by AI. There are legions of other projects as well.

It is a distorted view, because projects become popular by allowing indiscriminate commits, bugs, maintainers.

If I'd start a new project I'd allow anyone in and blog about 100 exploits every year, because that is exactly what people want. I'm serious.