Anyone remember Q-branches invention of wrist muscle triggered darts? There has to have been loads of similar devices in science fiction! Just goes to show 90% of patents should never be approved.

The problem is that code auditing generally tries to detect bugs. Even in the best case scenario where you can have a complete, manual audit of the entire codebase, you will miss many, many bugs. A much cheaper and in many ways better option is to just take a look at the code. Would you be proud of having written it? Ashamed? If you'd be ashamed of it, I say auditing is useless - there will always be vulnerabilities you've missed. If you're proud of it, an audit might be worth the cost - but, then, you could also spend the money on refactoring the code, use more privilege seperation, add better input validation, more sanity checks...

In a perfect world, all code would be statically checked, audited manually and by automatic tools, etc. But we're not in a perfect world. Auditing is very often NOT the best thing to spend money on.

Bear in mind that security is only as strong as it's weakest link. Do you trust the framework you're building on? The libraries you use? The OS? Your cloud provider?