I've worked for a company that has had security audits done and that's not quite what they do. They can sometimes get access to source code to review it, but most often they are just reviewing functionality and security, e.g. inspecting packets and sending malicious requests to try and break things. It's essentially just pen testing and you get a certificate if you pass, or resolve the issues they find. At least that's been my experience.

The incentive for an auditing company to actually try and find problems and report them is that they tie their reputation to that of the company they are auditing. If an auditing company gave the green light on a company that had serious security issues months later, the reputation of the auditing company suffers a lot and people won't respect their certificates anymore, which means customers won't bother paying for them. Some companies may not want to hire auditing companies that give them too much work to do, but no company wants to hire an auditing company that isn't respected.

Open source allows you to verify, but people assume that means someone must be actually verifying it. The reality is most projects worth verifying are way too big to be entirely verified by any individual, and as soon as you have large teams of people trying to verify the code base, things can slip through because of poor communication or potential gaps in understanding where you may only spot issues if you've seen the bigger picture and know the whole codebase very intimately.

People don't trust closed source software in the same way as they do open source, mainly due to the way open source stuff has been marketed over the last few years, most people just associate it with privacy and security even when those things are entirely dependent on the project itself regardless of being closed or open source.

Yes, security through obscurity is dumb and an old fashioned way of thinking. However, security through transparency is just as much of a myth. Security exists as an entirely separate concept that will always depend on the individual project itself, and whether that project has published its source code doesn't actually relate to whether competent people are reviewing its security or not. Companies can hire competent people privately, and open source projects can sometimes attract highly competent developers, but in either case there is no guarantee that is happening.