1) They covered users' looses if anything happens.
They have in the past covered users' losses when the fault was bc.i's, but nobody knows if they would have been able to do so during the last big one if not for johoe's saving 870btc on behalf of bc.i, nor if they'll be able to afford their next big one (which of course
I hope will never happen!).
2) They are well-known and trusted.
That's the whole problem. People who don't know any better trust that bc.i is
both honest
and competent. While the former seems likely IMO, the latter does not, and you need to have
both to prevent loss.
3) Importantly, it is an online wallet.
Most people usually don't check how "secure" is a wallet. They check how "easy" is to spend from a wallet or to access it.
I agree, and that's what I find unfortunate. There are more secure online alternatives.
Adslot in this forum about electrum:
There are several different types of Bitcoin clients. Hybrid server-assisted clients like Electrum get a lot of their network information from centralized servers, but they also check the server's results using blockchain header data. This is perhaps somewhat more secure than either server-assisted clients or header-only clients.
Electrum's model would have some security benefits over a P2P SPV model if the Electrum servers were
required to use SSL, but they aren't. As it is, I see no security benefits. P2P clients d/l headers & merkle branches from 8-ish full nodes (out of thousands globally), and Electrum clients d/l headers & merkle branches from 8(?)-ish Electrum servers (out of 14 globally). Could you or Adslot be more specific on why you think otherwise?
Electrum's model does have a privacy disadvantage when compared to P2P SPV—AFAIK, Electrum doesn't use bloom filters for monitoring addresses.