I've written code for an FDA approved class 2 device. In this case class 2 means roughly that the device is used for making medical decisions but not in direct contact w the patient. A failure could mislead a physician causing serious harm, but the device can't harm the patient directly. The code actually was the product since the approved "device" was a software program. We had to submit documentation that showed the device was safe when used by the targeted user, in our case a trained physician. We also submitted a lot of paperwork showing how the product was developed w solid tracability to all design decisions for everything from the software to the packaging to the marketing materials. Probably the most important part of those docs was a large table that had to be reviewed at every meeting showing that if the risk of a certain failure was X and the event caused by that failure had severity Y and their combination was above a threshold that we did something to mitigate the risk.
All that documentation ran for hundreds of pages and thankfully my tracability was mostly pointing at source control and saying, "you can see when i did what and why based on the timestamps and what ticket or design requirement it was connected to". Beyond that we had very large data studies showing that the product worked as we claimed. Those consisted of running previously recorded clinical data through our system and showing that with all these real-world recordings we did what we claimed. This counted as real-world since the software was designed to be run against recorded patient data.
At no point along the way did the FDA actually RUN our software or test it independently. The onus of that was on us and we had to submit extensive documentation about that testing. Audits consisted of the FDA representative coming to the company, reading reams of documentation, randomly pulling records that we claimed we had to prove we REALLY did what we said, and speaking with employees to confirm that they had some idea of what they were doing and what documentation they had to produce.
Honestly I'm not sure how else the system could run given that it takes so many incredibly specialized people to reasonably test a device. I don't really see any way the FDA could have a staff capable of doing that without becoming an absolute behemoth and slowing the approval process even more (it took years when you include the testing, verification, and documentation). There's room for improvement, but it's already no walk in the park. The FDA is pretty much making sure that if you claim a product does X that you have data to back that up and then if something goes wrong that you can trace the fault back to the source and know what happened.