No, it's the smartest way of coping with vulnerabilities. The smartest way to defeat a vulnerability, for example in Microsoft Office, is not to use Microsoft Office in the first place. The smartest way to avoid Windows vulnerabilities, is not to use Windows. Avoiding targeted software is the leading mitigation strategy.
I don't know what you're going on about here, but like I've said, nobody does the kind of auditing that you're looking for because of the time and expense. An audit can delay things for quite a long time and nobody is willing to accept that. Also, no one that I know of is willing to spend the time, effort and money to audit old code that has been built upon over years, if not decades.
Not to mention the bottom line of expenses. How about if I do audits of everything and pass-on those costs to end-users. Let's say, raise the price by $20, $50 or more for each subscription ? I've mentioned this a number of times in prior posts but you have not once acknowledged it. All you want is for security softs to have no vulnerabilities, but almost assuredly would not want to pay for that luxury. And I do call it a luxury as, practically, vulnerabilities are little to worry about because they are a fractional threat.
Bug bounty programs are hit-or-miss. In real terms, they close potential exploits. However, they do little to stop exploits generally = exploits still happen. They're more or less a speed bump to the determined. The determined is always going to find a way. If one doesn't understand those statements then they should research the topic at-depth.
How well a software protects the system is far, far, far more important than worrying about whether or not it has vulnerabilities. The topic of vulnerabilities in security software has been beaten to death forever and the industry's answer has simply been to ignore that debate. The uninitiated and uninformed just see it as a black-and-white issue of is there a vulnerability ?, and if yes, it must be fixed - and the publisher is negligent if they allowed to be released in such a state. Well... it doesn't work that way. Even if there is a vulnerability it takes more than discovery to leverage it into an actual working exploit - which is something that very few have the capabilities, resources and willingness to make it happen. Essentially, you are getting into the realm of high-capability organizations such as nation-state actors. If you're worried that some nation-state is going to exploit your security soft, then you have much bigger problems.
Unfortunately for you, you will find no security softs that meet your criteria. So either you revise your expectations or just don't use any security soft. Those are the two options.