I should have qualified my statement better. There aren’t many people in the world who can accurately audit a complex application. Evidence of the above fact is that there are approximately zero complex applications without a history of security issues, and there have even been successful attempts to maliciously add exploitable bugs in open source projects.
Among these people only a small minority is able to perform a similar audit on compiled code, and only at a much lower pace.
So I agree that it is possible to check a binary, but it is not feasible in a reasonable way.
PS. You are a well known (maybe even famous in the community) software security expert. Your perception of the availability and competence of good experts may be skewed by the fact that you probably know most of the good ones
He can maybe do it, and a few dozen of other people. There aren’t simply enough good experts to do it on any significant portion of popular software products.
Among these people only a small minority is able to perform a similar audit on compiled code, and only at a much lower pace.
So I agree that it is possible to check a binary, but it is not feasible in a reasonable way.
PS. You are a well known (maybe even famous in the community) software security expert. Your perception of the availability and competence of good experts may be skewed by the fact that you probably know most of the good ones