It's impossible to guarantee security. It's possible that the audits were shoddy, that the devs added malicious code intentionally or unintentionally post audit or that there was just some new exploit. Ultimately the money invested from the glowing sources paid for a fairly reputable firm to audit the code but secure comms is always going to be a target.