That is still pretty stupid. Either the website shouldn't be responsible for controlling access or they should have to take steps that are actually effective for controlling access. The idea that they have the responsibility to control access to their website but can fulfill that responsibility by doing something that they know is completely ineffective is pretty stupid.