A security audit is still useful when you have sources to the program. There may still be some intended or just accidental security problems with it. Having the sources makes such an audit a lot easier to do.
Is there a standard process anywhere for vetting some software for information leakage? I would imagine that someone would deploy the software behind an MITM proxy and then look at the traffic, but it would be nice if there was some standard process or framework for this somewhere.
It's a huge code base, of course there are security issues. Same way IDA and radare have security issues. People who reverse malware take that into account.