I know of at least one site with a big S that not only doesn't use reCaptcha on every login, but they also redirect to unencrypted HTTP after login via HTTPS, a practice extremely frowned upon by security experts for 16+ years or so. I mean, if we're going to be comparing certain platforms with big Ss and all as the huge blueprint allegedly being followed. :)
Well, my point is mostly : the more a site has increased security features , the more it's a challenge for anyone who attempt to "break" it, and when it's "broken" , another security layer is added and so on ...to the point the regular user is annoyed. > see the debacle with Steam & their virtual items ... .It's the game the cat & the mouse.
Sure they are users who don't really care / or don't pay attention to the basic security advices, which initially could be the reason of the increase of the security measures... ie : too common passwords, clicking everything on a webpage :P (especially certain malicious websites) , phishing , and i could continue.
In other hand as you pointed out some sites have poor security functionalities and shouldn't be used.