A reason I would not trust open source projects where no much activity is around, if I cannot read things myself or if I don’t know that person well enough. But sure, I was not explaining the whole thing, because I did not want to write a wikipedia article here. 
And let’s say a not so much used project has a critical vulnerability, the chance someone abuses it is also very little. The attack-surface scales with size and importance of the project and so also the amount of eyes watching it - usually.
The issue with audits are, that they cannot view the whole code. They’re just a bonus to find issues, but they do not replace the everyday attention.