the most that hackers can do is to get some free money
That sounds pretty serious, and also a very laxidasial attitude to the security of money. You want me to give you some of my money?
People aren't worried with being hacked per se, we're not too concerned with if your server stays up, or if someone writes a temp file or if they make your heroku bill go really high. 'Security' in this case means my money and/or my bitcoins, which I'm entrusting to you. Can you make sure my money doesn't disappear? Statements like "well all that can happen is the money disappears" does not make me trust you.
All software has security vulnerbilities. Nothing in 100% secure. You need to know what your vulnerbilities are. You are entrusting your users to not reuse passwords, that's a vulnerbility. You should have a list written down (privately) of your vulnerbilities.
- Source being viewed
I assume you mean the Ruby on Rails source code of your application? That should not be a security mechanism. You should be able to put that online and let everyone look at it without that having any security implications.