Bitcoin can be stolen in many ways and I am almost sure that many of those people that have lost funds did so because they were clicked into phishing links and went to websites that look like blockchain.com

However, I don't know what do people expect from a website. The content of the page and possibly some other features too can be changed by anybody from the company and by anybody else powerful enough to trick your browser's DNS resolving (OK, lately with forced https this will no longer happen). This means that you are never to be sure what you run there.

If you look into their ToS, they're basically not liable for anything. And that's right, if one is lazy enough to use web services instead of a proper wallet then maybe he deserves his fate...