I suspect that developers of Bitcoin services who are responsible for security consistently and dramatically underestimate what it takes to build a secure Bitcoin service. Coding and operational practices that are perfectly adequate for building a typical e-commerce site turn out to be utterly inadequate for, say, a Bitcoin exchange.