Contracts themselves can hold funds. Usually a contract hack extracts the money it holds.

$3500 was the average cost per exploit they found. The cost to scan a contract averaged to $1.22. That cost should be paid by each contract's developers. Often they pay much more than that for security audits.