Most HWWs are developed using cheap IoT SEs, some with poor track records. These only provide protections against basic attacks and anyone that stole a few HWWs holding 1BTC can easily make a good return on investment.

They also are not developed with security by design: it’s literally “throw shit at a wall until it works”