If that's really all the security they have, it's kinda bad, but it does encourage the right attitude for early bitcoin adopters, which is only put as much bitcoin in any online wallet as you would in your actual wallet.
It's not the only security. In short there's a rate-limited pincode, 2FA, spending limits plus a password for your vault, and they offer insurance against lost bitcoins that you didn't cause.
It's not that bad. Firstly the account is rate-limited. a 4-digit pin has 1/10k chance of getting it right, you get a few chances. It's about the same chance of being killed by an airplane hitting you, or being killed by a grizzly bear.
Then there's the 2FA the account has. Meaning if you have $50 on your account, you can secure it with a quick pincode. If you have $50k on your account, you can add extra authentication.
In fact, 2FA can be set up not just for login or for entering what is called the 'vault' (which by the way, is an insured product), but it can also be configured specifically for daily payments above a threshold, of say $50 a day.
That vault, the insured product, has an additional password by the way. So you can have a pin, a password, 2FA and spending limits AND the bitcoins themselves are insured by them.