How secure is the plugin code (or even WordPress's own code)? To a large extent I'm taking it on trust.
The core wordpress code is allright. There are too many eyes going there, so if you're not using an obsolete version with known vulnerabilities, you should be fine. The plugins are a whole other story, can be anything from rock solid to a sieve of holes, and with not many people interested in them you can't really trust how secure they are. Of course, if it's about a site of Joe's Carwash it wouldn't really matter how secure (or not) it is.
Note that I haven't audited wordpress plugins specifically, but I've worked on various 3rd party forum plugins with similar results.
If you were my "partner" providing the audit service how would pricing work for something like that? A single fee for a particular configuration, or fees per installation tested?
Could be either. I can charge code audits by case or by hours spent. If you commonly use a couple of plugins that's your best shot. Testing particular installations is a different thing, as it is about server configurations, password strength, backup setups and such. For more frequent jobs or a greater volume of work, I can offer a lower "retainer" rate (I'm cheap anyways)
Btw, are you genuinely interested or just asking out of curiosity?
greyhoundcode is onto something, this is probably the best way of getting business. Doing security consultation on newly created sites.
I imagine so, especially since it would allow for the early detection of design-level problems, which will make it cheaper and easier to correct.
Thanks for the comments, guys, I've put this project semi-on-hold, as I'm currently knee deep in something else, but "the end is near" so this discussion for different angles is very useful to me.