One needs to have source released, audited and verified to match prebuilt binaries that are actually used by the unwashed gray masses. Without all three checked for each public build you have zero assurance that you are running a binary built from the released source and that the source doesn't have anything fishy in it.

The only app that checks all three, somewhat ironically, is TrueCrypt. PGPfone checked #1 and #3. TextSecure checks just #1 unless I am missing something, so objectively its "demonstrated security" is exactly the same as that of any another app that simply describes what it does in plain English and has a traffic to prove it.