Another possibility is they're worried you'll go out of business. In that case, they don't need to see the code right now. You can set up a code escrow agreement in case you cease to exist.
no, every big enterprise I've worked for we do source audits on everything that is allowed to run. We check for phoning home, we check for license issues, we check for massive security vulnerabilities. It's just a cover your ass kinda thing when 100k people are going to run an app. There's a whole department for that.
Yes, the calculus is completely different when you are a 5k midsize company vs a 50k+ behemoth. There are strict, multi-layered processes for everything in larger companies, especially software procurement (including yearly upgrades!), and legal attends every meeting.
