Any project of this size should have security audits done by professionals who can be fired/sued for negligence.
Security professionals do not take on that liability. There is no such thing as 100% security and contracts are drawn up to reflect that. That said, it is proper due diligence for a decent sized company to hire external security people to assess a company's code, network, policies and procedures.
Security firms can most certainly be (and often are) sued for malpractice/negligence/incompetence.
Because of this liability, they pay a lot of money to insurance companies for coverage.
The lack of 2FA and offline (actually cold) cold wallets are their two most glaring fuck-ups.