I can't imagine there are masses of webmasters and forum hosts digging into their coffers to donate to the development of phpBB3....what little is donated would be hardly enough to make a living on if you're one of the dev team. The idea of there being a "profit" is moot.
Lets see there are donations, profit from ads on the site, profit from advertisers in various forms on the site (hosting advertisements, job listings, etc). Just those 3 combined + free hosting donated by OSUOSL + the sheer traffic of this site = plenty of profits. This may not be a full time job for every dev, however it is far from free work. People can be nice but do you think the dev's would do all of this for free?
[sarcasm="high"]Yes, they should have done the security audit when it was in BETA while still feature unlocked, when it would have been useless and pointless. You should always do a security audit before the software is even finished, just like they test security systems in buildings before the building is even finished being built.[/sarcasm]
I think you need to learn a bit more about the process of writing a program. When a program hits RC, meaning Release Canidate (meaning that even RC1 could have gone gold if no bugs were found) then all of the core development is already done. Just about everything security related should already be frozen.
A security audit of the beta right before RC1 would have uncovered all of the issues we are dealing with now. RC's are supposed to be only about bugfixing, and general bug fixing in RC stages doesn't typically open up a security hole, and if it does then changes of it being caught are high since you are focused on 1 area of code fixing a bug, you'll (typically) notice if you open up a security hole. If not, someone else will notice.
Again I must stress, I am not trying to bash the DEV's here or bash phpBB in any way, I am just trying to figure out why things are not being done the way development of a program usually goes...