By audit I'm referring to the people that worked on the code, not the code itself. Running background checks on a firm and having a strong contract with a firm is easier than hiring people to audit the underlying source code. It's not better. It's just easier. Based on the reaction to my post, people seem to think I'm arguing that closed source is better. I'm not. I'm providing an explanation for the thought process behind why some companies in some industries stick with closed source from personal experience. I'm not saying the reasoning is correct and leads to actual reduced security vulnerabilities/risks etc - it almost definitely doesn't. But people think it does, the legal liability is easier since you just have to sue one company, auditing is easier since you just audit one company (not the tech, the company, these are not tech savvy enough managements and firms to audit the codebase - as far as they are concerned, clear background check = code is OK to use for critical stuff). I agree with you that it's strictly worse. If you have better luck than I do convincing a conservative financial services firm that using R is better than using SAP, please do let me know how you pulled that off.