If only it were so simple. There's a whole industry of consultants who offer their time to help people like your friend secure their sites, and there are some automated tools out there, particularly for finding things like buffer overflows, but security auditing is still largely a manual process done by experts.