They don’t have lax security measures. They use industry standard measures, including encryption in transit and at rest, salted passwords (they were caught without salt over a decade ago and fixed it), internal training on security, phishing simulations, the works. Your data is their business, they don’t want to lose it.