Exactly. The code and executable might not match. As in obfuscated C, the code might be subtly designed to fail. Further, the code might work but be integrated with libraries or deployed on an OS that the enemy knows they can hit. The security case of a given piece of software always depends on the reviewers and knowing you're using what they reviewed.
That this is usually lacking in vast majority of software is why we're seeing a ton of vulnerabilities in both commercial and FOSS software.
That this is usually lacking in vast majority of software is why we're seeing a ton of vulnerabilities in both commercial and FOSS software.