Open source is not the be-all end-all of security either. Closed source apps can still be audited (with increased difficulty), and open source apps might still be impractical to audit even though they are open source.
No, it is not necessary _or_ sufficient. That is what I'm saying. You can audit a closed-source app, and there also might be open-source apps which are impractical to audit despite them being open source.
If you have your closed-source app audited, everyone needs to trust the audit company. And I've seen some shit audits in my life that told absolutely nothing about the actual security.
Open source means anyone can audit and verify nothing was done after audit.
Moxie more or less audited WhatsApp's Signal protocol implementation, and people are right to be concerned about whether changes have been made since FB bought the app.