With the proper authorizations many people can perform a penetration test of the web site. It should be fairly easy to run one, or contract to do it, and publish the results. It would certainly be worthwhile to have some evidence of security in place.
Some people can do the pen testing without authorization but not legally from the USA.
That's right Ivan.
If a site won't publish the results from one or more of the readily-available penetration testing services, you should assume that their code is ready to be opened up by hackers like a tin can of sardines with a pull-tab.