It's exceptionally difficult (read: expensive, time consuming) to do a forensic audit of the sort you're describing, and the adversary has an advantage in this game, because they could potentially engineer their malware to erase itself after the election is over.

The goal of RLAs and other kinds of election auditing procedures is to achieve a property called software independence, such that we can gain confidence in the correct outcomes of an election without requiring any confidence that the software is correct.