The response to the audit reveals that it’s not as “scary” as the report makes it sound (from a “headlines” perspective.)
VeraCrypt has active development. TrueCrypt does not.
Some of report is subjective (an opinion about how “clean” the code is, which will improve with time anyways.)
Any concerns with VeraCrypt are even worse for TrueCrypt (which is abandoned).
RIPEMD is only used for legacy (MBR) systems. SHA256 is used by default, otherwise. Thus, VeraCrypt leaves it as an option for legacy systems (if the user so desires to select it.)
PBKDF2 is still used by LUKS1 (which is the default key derivation function used in a “full disk encryption” Manjaro installation.) Thus, the fact that VeraCrypt uses PBKDF2 is nothing to fret over. They might use Argon2 in the future (same as LUKS2 does now.) It’s really a non-issue for home users.
We’re not working with mission critical nuclear codes here. We’re just encrypting our files on our Linux laptops and PCs. VeraCrypt and LUKS (and even granular solutions like “Vaults”) are more than enough to keep your data private and deter most attackers. You’re not the target of a ragtag elite group of international hackers. 