It's hard to say that most mistakes are avoided from two audits. Especially in a browser; there's a lot of attack vectors.