The issue with #3 in practice is that roll your own tends to have its own undiscovered bugs and winds up being security by obscurity in practice unfortunately. There is a reason best practices for Cryptography involve throughly tested algorithims as opposed to just "the latest and greatest".
If you can audit completely enough to not leave anything then the question becomes why not audit the commodity? Lack of availability of auditable components or proportionate costs of doing so is the main answer I can think of.
If you can audit completely enough to not leave anything then the question becomes why not audit the commodity? Lack of availability of auditable components or proportionate costs of doing so is the main answer I can think of.