The plus side is that smart contracts provide their own "bug bounty" programme. If a smart contract that handles a coin with a market cap of +50M USD has not been breached, I absolutely trust that contract to be safe.
Then it becomes a matter of game theory as to whether you cash in the bug immediately to empty the pot, or wait for it to grow even more from the positive feedback loop of it being "obviously bug free if it grew this large". For state-sponsored actors, 50M would only be a modest sum.
