Well, it's not as simple that imo. Developers can work on a project for months, write a lot of tests to verify expected behaviour and there can still be unintended bugs the developer didn't catch. Even with multiple people vetting the code, sometimes all of them overlook a weird edge case that nobody thought about which can be misused by an attacker. I've worked for a couple of big worldwide companies as a developer and I've seen this many times over the years. There is always some trust involved when you run code, either you have to trust your own code or someone elses.

I hope you get the help you need to get the bitcoins back though, it's fantastic to have people like you in the community that wants to host services and help others out in some kind of way. 4 BTC is a lot but I hope you keep that community-spirit up after this too.