Strictly speaking, Lavabit always had a back door. Writing the code to exploit it does not in any way change the truth or lack of truth in any of Lavabit's business statements. At some point the secret keys of each Lavabit user were sitting in some part of the server's memory, in the clear, there for the taking.

At best Lavabit only ever provided security between logins i.e. when the data is "at rest." Any claims of security beyond that are, to be polite, overstated.