It's financial. It's a lot more complicated for me to inspect an app than a website. I understand that the modern generation is pretty comfortable with this but us old folks have a lot of money and don't trust our phones with it as easily. (I beta tested Android while at Google. Smart phones aren't new to me. I just have a different level of acceptable risk than my kid does.)
Nobody capable of finding exploitable issues is going to be deterred by being an app rather than a website.
If their thought process on this is actually “security through obscurity”, then I would not go anywhere near this as it tells me immediately that they don’t give a single solitary fuck about proper security guidelines.
