How an exchange can be trusted if it has security flaws by design? [Liqui.io]

I see security as #1 reason for marking exchanges as trusted in the world of cryptos.

The thing is that you don't really own your coins if you don't have your private key, such scenario happens in all of the exchanges - and the only way to sleep well at night - is the reputation and the security design of the exchanges.

I used liqui for several times until I realized that if they have bad security by design - it may reflect on other things in their company - and I'm not willing to take that chance.

Some things that I found:

- 2FA, can be enables \ disabled from the settings without the need for any email confirmations.
- If 2FA is enabled, it can be disabled without asking for current 2FA token
- Change password is sent to email as reset password ?? (wtf) without the need to reconfirm current password

I didn't want to look deeper than that, but I believe that they have more bad / wrong scenarios in their code.

Why do people continue using them? Why don't they fix that?