Re: I guess he gets points for trying?
"Perhaps a decent web security consultant might have been a better investment?"
I think an "app" security consultant would be better as apps also store data on the phone and synchronise between devices, which doesn't feature in web security.
I have trained so many web developers over the years in iOS programming and they are blown away about how much more complicated it is dealing with a device that can hold data and process it locally (plus synchronise through a cloud that they have no control over).
Web security is a very centralised view of the world, app development is far more distributed and can catch you out.
He probably had a web security consultant, which might be where he went wrong in the first place.