the idea is to audit the code of qubes os to find any vulnerabilities within the qubes operating system. This does not include blobs. This does not include an audit of debian, fedora, whonix etc. Just the qubes OS codebase
Vulnerability to what? - Data leaks? Data collision? Anything else? Hardware side-channels? As I said, this needs to be defined. Otherwise it is huge.
Also that code does not exist in vacuum on its own. It depends on other code (including the compiler or interpreter used, down to CPU microcode), i.e. it is vulnerable in a particular context, and if the context is the factor of vulnerability that should be considered too. So, it seems to me quite complex with all the moving targets that make the code functional. I wonder what entity is capable of such thorough analysis.