What's an iteration and why 1000 or 2000 iterations are considered "low" ?
When you enter your password, it is not used directly for encryption. First, it goes through a password hashing scheme. The one TrueCrypt uses is dated but widely accepted: PBKDF2. This algorithm does some clever (and some not very clever) hashing of your password with "salt" to defend against rainbow tables, and then to help defend against brute-force attacks it hashes your password using some respected hashing algorithm such as SHA256 over and over.
The point of iterating many times is to waste CPU time. The idea is that an attacker has to do whatever you do to make a password guess, and if you make each guess take a long time, then you slow down attackers. This is called "key stretching". A proper TrueCrypt implementation should burn on the order of 1 second of CPU time every time you enter a password. This greatly improves the protection of both your data, and your password.
TrueCrypt's defaults of 1,000 or 2,000 iterations made sense back when we were using the original Intel Pentiums, and no one was using graphics cards or ASICs to speed up hashing algorithms. Now days, 2,000 rounds of SHA256 is close to worthless, IMO. On a custom computer chip called an ASIC, we can do a billion rounds of SHA256 per second with $10 worth of hardware.
VeraCrypt already includes far longer key stretching, significantly enhancing security. CipherShed plans to do this later this summer/fall with a release to address the Phase I audit suggested short-term fixes.
Doing key stretching well is something of an art. I had a ton of fun this spring creating my own algorithm to do this. There is an international competition going on right now called the Password Hashing Competition. I think the winning algorithm should be supported in a future version of CipherShed. In the short term, the audit recommends that we do something similar to VeraCrypt, just increasing iteration count, but it is far more effective to use a modern "memory-hard" key stretching algorithm. The standard one is called "scrypt", and it improves security over PBKDF2 by about 20,000X, meaning it will cost an attacker about 20,000 times more per password guess.