I think that a lot of security education over the past decade oversimplified this and so it's not surprising that some people understood it that way. In reality, "security" online could include all sorts of different threats, some of which could be from the site operator, some of which could be against it, and some of which could be against the communications between the user and the site operator—among other possibilities.
I don't think it's surprising that a lot of users internalized the idea that the presence of a lock means the entire situation is somehow legitimate. Unfortunately, that idea is counterproductive in our current environment.
Edit: a nice post from 2.5 years ago on this point: