"Straightforward" might not be a great choice of words, BUT, if you have enough money and engineers, you could get them to do a full audit of everything. The source code is freely available, there's nothing stopping you.
Compare this to something like, for example, TikTok, where the code is completely closed. The only kind of auditing one may do is looking at network traffic, and maybe some disassembly/hex-editing.
I'm not saying that everything needs to be OSS but it is nice to have options.
Also, in the specific case of the kernel, the auditor would only need to audit the subset of code they plan to compile and use. A lot of the kernel code is drivers and the auditor probably doesn't need all of them.
Source code access makes surprisingly little practical difference for discovering security vulnerabilities. People routinely find security vulnerabilities in major closed source operating systems like Windows and iOS and submit their findings to MS/Apple for bounty, or sell them to exploit brokers. Reverse engineering tools like Ghidra can decompile code back to C to make auditing easier, and black box fuzzers have proven massively useful for discovering vulnerabilities without auditing code line by line.
Tiktok is far smaller, and has a smaller attack surface. If there was money in it, people would audit Tiktok all day.
Open source makes security vulnerabilities and bugs somewhat easier to discover, but the real benefit is that it makes them easier to fix once discovered. With proprietary closed-source codebases, you must wait for them what have access to fix anything reported, which in some cases never happens, or can take a very long time. With open source, anyone who has the knowledge and skill can step up and fix anything they feel like, and submit said fix back to the codebase for review and possible inclusion, or fork the code and apply the fix themselves if necessary.
Compare this to something like, for example, TikTok, where the code is completely closed. The only kind of auditing one may do is looking at network traffic, and maybe some disassembly/hex-editing.
I'm not saying that everything needs to be OSS but it is nice to have options.