I hate to say it, but
This is not unusual. Wacky security holes exist all over the place. Part of it is lack of understanding but part of it is just optimistic laziness. I confess that despite my knowledge in this area, I am still often an offender myself.
You can get an indication of the extent of the problem by looking at how often security warnings and updates happen in even old and well audited systems. You can also get an indication from subtle cues such as wide-spread misunderstandings of things like password strength.
We can never tighten this up without wide dissemination of understanding, agreement and ongoing audits to make sure that systems are actually secure against attack. We might not be able to defend against attacks from powerful adversaries like the NSA, but we can and should deflect trivial attacks on obviously deficient security.
The state of data security is woefully inadequate and may even be getting worse.