You don't get the source code to their software. You probably rely on results of an FDA audit of the MRI vendor. The FDA auditor would look at the validation protocols for the software. If they say they are using a "waterfall" development paradigm, they will go through all the documentation for that and look for evidence of proper code review and sign offs. This is the sort of things auditors are trained to do. Theoretically they could audit and review the vendor's source code - in reality there are probably a dozen people at FDA that could make any sense of the code. Those people are working trying to make FDA own software work properly and won't be part of an audit team unless people are dying (and probably not then).
Precedent says that you can get away with murder if you just rely on COTS software (Commercial off-the-shelf). Your MRI probably has a Windows user interface (shudder...) and may have a proprietary database back end, like Oracle and many other layers of commercial software underneath. FDA has little ability to audit them and no ability to access their source code. Also - installing current vendor patch fixes to Windows or Oracle are usually not done frequently. Patch fixes often trigger elaborate and expensive revalidation protocols to make sure the fix doesn't break something else They would be unlikely to find one if it existed but they are required to document that they spent $$$$ trying, so they will put if off. In some cases even updating anti virus definitions would trigger a revalidation, so they don't get applied either.