Sure, that will depend on the courts and specific case, as it seems it works exactly like this mostly. But if you inspected the code yourself and you put your money in anyway and it is gone, you might find that the court will not do anything at all. And who can you shout at then, the moon? I am saying that smart contracts are a special case: they are small pieces of code, if they have a bug, it usually causes major damage and, if they run on the eth chain etc and no one took public responsibility for deploying it, there is no one to sue. We have no way to write this type of bombs without flaws as you rightly say and because of the irrevocable damage and the lack of defendant in most cases, these contracts should not be used at all.

There are already (many) cases like this, but if I write some software and put it in github, someone else deploys it and people die; that is simply not my fault: it is the deploying person. In normal situations, this is easy to find the defendant here: but on the chain, you won't be able to: anyone can deploy anything and you won't know who it was. So unless you to end open source software, you have no case against anyone.

This reminds me of the Toyota Prius (and other models') un-commanded acceleration problem. Should car buyers examine Toyota's code, or should they assume that the gas and brake pedals work as expected?

It's not reasonable to expect software users (even other developer users) to understand or audit code in order to be able to use software -- for anything.