An audit takes place by manually inspecting the source code for implementation and design flaws. The pitfalls of most programming languages are widely documented. Code will be audited for adherence to best practices and in most cases we will not bother with producing proof-of-concept exploits. Exploitable or not, bad code has no place in a networked world.
We are not babysitters or handholders. We expect the application developer to try as hard as possible to write code free of security problems. If we find that minimal effort has not gone into the security of the application, we abort the audit activity and find something better to do with our time. This results in incomplete audit results being posted, advising against using the package. It is then up to the application developers to improve their knowledge of the programming language at hand and consequently improve their application.