proof of solvency and the publication of our cold wallet!
we have decided to not publish the hot wallet address for security reasons
This makes it sound like you have only one cold wallet and one hot wallet. Surely that is not the case. I hope?
The amount of addresses they use has very little relevance for security.
Of course it does.
1 cold wallet = Only takes one security incident, one private key stolen, all funds gone.
10 cold wallets = Needs 10 security incidents to lose everything, otherwise one breach only loses 10%.
Naturally the 10 cold wallets need to be stored separately and in different manners in order to be effective.
Same goes with the hot wallet. One flaw in the app or servers and the entire thing could be drained. Multiple hot wallets on separate servers with very different access methods will make it much more difficult for a hacker to take all of the hot balance. More likely they'd go for the first one they could get and after that Vault would know and shut the rest down.