The apparent lack of any sort of security practices by the code author should be a signal to the clients of pawnmail [1] that they should find another hosting provider.
It's pretty rational for a proof-of-concept in something as innocuous as chat software to completely ignore security. That doesn't mean the author wouldn't spend time on it for his actual business, the one that generates actual money.
Most people pay attention to the requirements of their specific problem when designing software.
Ehhhh, I don't know... I have lots of proof of concept code that isn't very secure, but have production code that is... Just because a proof of concept isn't crazily secure, doesn't mean that his production stuff is lacking too.
The author doesn't mention hack.chat as a PoC anywhere. Additionally, it's in the same “Projects” section as pawnmail on his website [1]. So yeah, that's not a PoC in my book.
Most people pay attention to the requirements of their specific problem when designing software.