"How do you show who put the dodgy line of code in, and when?"
Andy good version control system can tell that - although it could be tampered with, unless some extra precautions are taken. Good requirement management systems are usually built on version control systems, or the like.
Peer review, tests, etc. could be performed as designs reviews - someone has to sign it was done, and risk the consequences.
Evidently, if everything just becomes box ticking, the risks increases exponentially.