It is not only about stealing users' coins, it is also about "stealing" users' personal data, which is very hard, if not impossible, to spot early in the case of closed-source wallets.
Exactly, that's why I don't consider them private, SPV asides. If you don't put transparency above all, you can neither convince us you have good intentions, nor you have coding skills, and therefore, your software can't be called secure nor private. And that's exactly what's happening with closed-source wallet software. The developers either put some backdoor, or they're just not competent enough.
The best example is Windows.
And yet, number one in usage. That's the power of marketing.