As far as the audit, I feel like 13 days is surprisingly short. I base this on my experience getting new jobs and familiarizing myself with new code bases. Maybe I'm slow.
13 days (let's call it two weeks, assuming full person/weeks of time) is not atypical for an assessment. If you have multiple people working simultaneously on a two week assessment, you can "comfortably" assess fairly complex applications.
What is surprising to me is that so little of that time was devoted to cryptography. For a secure messenger that time should be ratcheted up a bit (though the security infrastructure and general software implementation stuff is also very important).
It depends heavily on how much code there is and what language it's written in. Also, code auditors can often eliminate large swaths of the codebase with high confidence when it's clear that there is no attack surface, so it isn't always necessary to grok the whole codebase.
What is surprising to me is that so little of that time was devoted to cryptography. For a secure messenger that time should be ratcheted up a bit (though the security infrastructure and general software implementation stuff is also very important).