A good company would have an array of audits to go through, remote testing, internal scanning, manually glancing over code, and running specialized softwares. etc.
At XenFans we've run a Google RatProxy for a month, while using the alpha, and found one issue which was due to jQuery converting things back in regards to html entities so xss was possible if you had moderator access with access to inline moderation, but that was it. Other reported things were all insignificant warnings.
I will dump the many gigabyte of data to a report.html soon since we stopped running it when beta2 came out. And mail it to Kier for review.