Well, the malicious code may or may not be related to cryptography. That's true.

The cryptography, on which the proof-of-work is based, may contain a way to reconstruct a private key from a public one. Only an expert cryptographer may be able to spot it.
Some math functions may seem unidirectional but they may not be such.
Monero's review of the whitepaper was aimed at addressing this kind of issues.
The reviewer basically says: OK, from my analysis of the whitepaper, from a mathematician's point of view, the concept of CryptoNote seems secure.
This, though, does not mean that the code is secure, since the code may or may not be an exact implementation of the concept and may contain malicious code.
The mathematician who performed the review did not analyze the code.
Moreover, we don't know anything about the reviewer. Is he an academic? Is he an amateur? Is he nothing at all?

The malicious code may not be related to cryptography at all. It could, instead, allow the creation of a very large botnet.
The analysis should be performed by an expert of botnets and peer-to-peer communication.
The communication protocol should be analyzed in order to exclude the possibility of it to be used to direct, for example, thousands of requests to a single IP address in what is called a DDoS (Distributed Denial of Service).
Think about it. You have a software which is running on thousands of devices and contains code created with the legitimate purpose of coordinating nodes...
May that code be diverted from its legitimate use and used instead to attack a vulnerable target? Attacks of this type have already been directed against well known exchanges like Kraken, Coinbase and BTCChina. The attacker could ask for big money for stopping the attacks.

I did not say that Monero should not be paying for those analyses. Whoever does them, though, should possess enough credibility in the field of cryptography and/or botnets.
His identity should, therefore, not be hidden and be, instead, verifiable.