I think the reason I found so much in only 10 hours is that I had a good set of guesses about what could be wrong, based on what I've seen people get wrong before. From there it was just a matter of prioritizing which guesses to check. I did look at a lot of the code, although it was mostly guess-checking combined with a closer look at the cryptography code.
Because the audit was so short, the quality of the report suffered (ASCII, some mistakes, some severity ratings that I no longer agree with, etc.). My priority was to find as many problems as possible in the amount of time I was given, and then sort that out later.
To answer some other replies: I always report unbilled hours (in this case none), since I think it's dishonest to say you worked less hours than you did. You would essentially be claiming to be more productive than you really are.
That seems to be the case, but I couldn't find any rigorous documentation on the crypto EncFS uses, so I imagine even this level of review required code review (that's also the only way you get a finding like the timing-leaking MAC validator, though I dispute that finding's "Medium" severity and think it's sev:lo).
Some of it must have required at least some level of code review (e.g. (MACFileIO.cpp, Line 209)). Even so, between the review, and the writeup, etc, if the total 'billed hours' is really ~10, the rather large hourly rates I've seen for such audits do appear much more appetising, at least to me.
Every consultancy/consultant/project is different, but it's unlikely that they sat down with the code at 10AM and sent the report out at 8PM. It's not uncommon for there to be some unbilled hours, for instance if the consultant ends up researching a new technique/vulnerability and they will be able to re-use the knowledge in other projects. So don't feel bad :)
I can imagine that's way faster than doing a thorough code review, though the number of results from 10 hours is still very impressive.