This is all a good point, but calling it bullshit is counterproductive. Bullshit implies people are trying to get away with something by doing this. The much more likely scenario is that most people, such as myself, never realized this.

By all means, point out security problems and offer suggestions for improvement, but try to assume good faith. Making people feel stupid for missing something in a field that is defined by its difficulty isn’t useful.