Open to audits doesn't mean free software, it just means visible source. The business model for selling routers with auditable firmware is selling routers.

And the public doesn't have to audit it. The govt already audits/inspects/validates plenty of sensitive physical products, typically through 3rd party industry associations. You don't get to peek inside, but people signing NDAs do.

Even if this wasn't done, at the very least they must publish their software testing procedures, the way UL, ETL, and CSA require to certify devices for the US power grid. (https://www.komaspec.com/about-us/blog/ul-etl-csa-certificat...) They can also do black box testing.

But ideally they would actually inspect the software to ensure its design is correct. Otherwise vibe-coded apps with swiss cheese code will be running critical infrastructure and nobody will know until it's too late.