The real security audit should be done by hackers the same way browser and OS vendors do it. Vendor lists his website on some platform and specifies money he's willing to pay for found vulnerability. Hackers trying to find vulnerabilities. 3-rd party verifies vulnerability and ensures that hackers are paid. More money vendor offers for vulnerability — more hackers trying to crack his site — more confidence clients have.