Actually, I’m going to try to be more constructive with my comments.
That padlock does signify that you’re surfing the website you think you are, but it does not signify you’re necessarily looking at the business you think you are. Anyone can get the domain and accompanying certificate for “hottmail.com” or “batle.net” and get a padlock. It’s always up to the user to pay attention to what site they’re on.
It’s not just misspelled domains, either. I could obtain the website mushu.co.uk or mushu-inc.com this afternoon, and get a certificate for it and it would be completely legitimate. It’s up to the users to distinguish whether it’s really you or someone pretending to be you. This is the way the vast majority of CA signed certificates work. They confirm you’re on the website you’re on, not the business you think you’re looking at. This is the way it’s been for over 20 years.
On the other hand, if I have a big enough business, I can obtain an EV Certificate, which not only confirms I have control of the domain, but that I’m actually the business I claim to be (they’ll generally say the name of the business next to the URL). They are ridiculously expensive since they require human intervention, so it’s usually only banks and multinational corporations that have them. Business that really need to demonstrate they are who they say they are.
Your security staff are very wrong, embarrassingly wrong for security personnel!