Any experienced crypto investor knows that putting money into an unaudited contract that's less than a few months old is basically throwing that money away. There is another side to this, though, which is that protocols than have been around for a year or more without problems are quite trustworthy and become important building blocks for DeFi.
Yes, but these smart contracts are often fairly short (in essence, they shift value from one ledger entry to another), and not every bug is exploitable. They are also effectively paying a bounty worth hundreds of millions of dollars if you can find an exploit. It is not unreasonable to feel increasingly confident in their safety after some time.
