There are two points I would make about third party audits. First of all, they simply move the trust requirement. Instead of trusting the entity itself, you are now trusting the auditor. They still don't allow anything to be independently verified by the user themselves. And secondly, even if you do trust the auditor, they only show a snapshot at the time of the audit. Anything could have changed between then and now.
It's what can change between then and now what's worrying. There's trust with audits but in moving environments you don't know when the next security flaw's going to show. When it's NordVPN or ProtonVPN they've been asked by courts to hand over customers records. They've kept log times, email addresses & paying methods they don't log browsing history or anything related to customers identities. They hand over nothing because they're not logging online activity.
Not at all. In addition to the points I made above in regards to VPN providers, when it comes to exchanges, there are even more unknowns. The proof of reserves which many exchanges are starting to publish is easily tampered with or altered to make it appear more favorable to the exchange, and proof of reserves without proof of liabilities is absolutely meaningless.
There is no way for a user to ever verify completely the security, privacy, or solvency, of a third party they are using. The only way to do this is to keep your coins in your wallet.
Proofs of reserves & unexplained strange movements of funds will get published if they're audited. Complete verification of solvency shouldn't be a problem to detect but audits can't stop exchanges being targeted. Hackers are trying to get past security systems every day because they're storing billions in cryptocurrencies.