This is false. The security company has its own reputation to mind, and its people their own conscience. (There may be cases like you're saying, but "anytime" and "purely" is completely wrong.)
This is first-hand as well. But I'm not the one making a universal claim.
I think what they are trying to say is that nothing would prevent the company ordering the audit from providing the firm conducting the audit with another branch of the source code.
This is first-hand as well. But I'm not the one making a universal claim.