Audits can be hit and miss, I’ve seen high quality code review companies just miss major and obvious mistakes in the security by simply not tracing the execution logic step by step in critical code sections and instead just scan the code for common known mistakes based on code fragment matching.
The same could be said for proprietary applications, which may never see third party audits because 'meh, customers have no access to our source and IP protection or something'
