That's the problem though isn't it? Unless you're an absolute expert in every aspect of a thing, you gotta trust someone who claims to be the expert, eventually. Or never trust it.
When it comes to security audits of software I often prefer to see that software failed at this or that, and was corrected, with a reasonable explanation of both the problem and the applied solution. To me, this shows that 1) the audit was actually performed and not just bought/pencil-whipped; and, 2) the developers acknowledge their [inevitable] mistakes and correct them. It also teaches me what to be aware of for other, similar software.
In other words, I would rather see a pimple once in awhile than be convinced by makeup that everything is perfect.
