Correct, the security some of the venders use, are not all that secure.
"you get what you PAY for"
Very NOT true!
You couldn't completely secure a website if you spent your entire business budget on security. Recent sucessful hacks include Michelle/Barrack Obama's Social Security numbers, George Bush's daughter got her numbers hacked and the list goes on and on.
You could get hacked simply buying from a local "trusted" vape store the same way you can get hacked buying from an online retailer. Hackers are not TARGETING THE VENDORS, THEY'RE TARGETING THE MULTI-MILLION DOLLAR CORPORATIONS THAT HOST THEIR PAYMENT GATEWAYS. They go after companies like Autorize.net, Visa, Mastercard, Paypal - all of these MAJOR corporations have been hacked at least 10 times this year alone.
Sure they update and try to up secure and reform so they can't get back in the way they got in the first time but hackers just look for other holes in security. There is NO 100% secure website or local vendor, it doesn't exist! You want 100% secure? Pay cash, otherwise there will always be a small risk.
Should you as the consumer be worried? Yes and No - Yes of course you should keep an eye on your money and account at all times. And no all your money is insured I've yet to hear of someone who didn't get all their money back, that's why we use FDA insured institutions.