The casinos which accept zero confirmation deposits have no risk of capital loss, and can only at most lose the deposit the customer placed. If the customer wins, they will not be allowed to withdraw until the deposit confirms. If the customer loses and double spends their deposit, then at most the casino will lose their deposit, and will then ban their account and IP address.

It wasn't, as pooya has pointed out above. One of the primary goals behind segwit was to fix transaction malleability to allow the Lightning network to function properly. See here: https://bitcoincore.org/en/2016/01/26/segwit-benefits/. P2PKH and P2SH addresses are still vulnerable to such an attack, however.