The 4-digit PIN is pretty ridiculous, but just a quick look at their SSL Ciphers and their HTTP headers shows they're less than what would be considered best industry practice. Bitcoin-handling sites should exceed industry standards when it comes to security. They also mention when explaining how their vault works that they first receive Bitcoins and then take the computer offline. The computer with the private keys should never be online in the first place.