Code reviews are not code audition, I don't think anyone would claim that. I understand that you are a "security researcher" and never actually worked as a software engineer, so you will just have to accept that people who work closer to the whole development process use more sophisticated vocabulary to describe it.
Regarding your points:
1. They don't care about the maintainer's opinion, they upstream their shit to mainline because it is much easier to maintain it once there. Patches outside the tree are very prone to bitrot.
2. They don't care about your "research", they have their internal security processes that code have to go through before being published, they believe it to be already secure. They know that if you find something you will publicise it, which is bad PR for them.
3. That might be a reason for contributing to existing projects, but not for releasing their own source code.
But all of this is besides the point. The original claim was that corporations release their shit to trick hobbyists to do code audits for them for free, exploiting them. I think we can agree that this is not typical, and if any corporation counts on it, they will be very disappointed.