What is a security audit?

Risk auditing often deliver probability instead of a boolean for things like this.

I’m in favor of a probability of risk of each major section of code instead of one answer for the entire codebase.