Well yes usually the dev team is closed or is picky about recruiting new members due to infiltrators, people have to be vetted before joining the development team.

But that doesn't mean that you cant check and analyze the code. The latest source code is always available for public test, and most of the time the bug is there for a long time, it's just it's not discovered. It's almost never the latest commit that breaks things it's always an older bug.

So you can just download the latest source code and play around with it, check the portions that handles encryption. I myself have verified the Electrum source code, although I am an amateur programmer, I have already found a bug in the key generation algo and reported it to the developer.

With the Linux kernel and things like that it's more complicated. But things like Noscript or the OTR plugin can be easily audited and reviewed by essentially anyone who has a decent amount of programming expeirence.