The Zcash protocol is made up of many components. There’s the consensus layer that provides an append-only ledger; there’s the transparent protocol inherited from Bitcoin (with changes); and there are two shielded protocols, Sprout and Sapling. These each use various cryptographic components, such as hashes, commitments schemes, signatures, encryption schemes, elliptic curve key exchange, zero-knowledge proving systems, and so on.
So, there’s really quite a lot to audit. The Sapling protocol spec is written very densely and it’s still 142 pages; this doesn’t even include the specifications of existing cryptographic components that we have reused. With the possible exception of the transparent parts, the vast majority of this is necessary complexity for a protocol that provides Zcash’s functionality.
The counterfeiting vulnerability was in one of the zero-knowledge proving systems, BCTV14, which had been published and peer reviewed several years before the development of Zcash. The audits necessarily, given the resources and time available, focused mainly on the new components that had not previously been peer reviewed.
The designers of Zerocash had selected BCTV14 as the zero-knowledge proving system. For many years, zero-knowledge proving systems had been too inefficient for practical deployment. BCTV14 and its predecessor, Pinocchio/PHGR, were breakthrough systems that provided order-of-magnitude performance increases; it was the development of these systems that made Zcash feasible. For technical reasons, we could not have deployed Pinocchio (that system depends on symmetric pairings which had been found to be less secure than desired). So at the time, BCTV14 was one of the only practical options available. Unfortunately, the changes that BCTV14 made to Pinocchio were only argued informally; it had no security proof. None of the audits included security analysis of the proving system; indeed, we probably couldn’t have found auditors with the expertise needed to analyse that system in the time available, at any price, since that expertise was only present in the academic community rather than in commercial auditing companies.