I think the plain facts are that enthusiastic vapers open web businesses to sell products, and they don't know much about web servers, ecommerce, or security. They are simply vapers who 'go professional'.
Therefore you are always going to find issues related to all aspects of web trading. In fact I would go so far as to say that
vaping businesses need to be turning over about $10m annually, as a rule, before they appear to be employing the right people to sort out their web issues properly. I say this because there are multiple instances of traders with a $1m turnover (and even $5m occasionally) who don't appear to have the most basic knowledge of web business - which of course is totally different to B&M business.
Naturally there are exceptions, perhaps where someone has been very lucky with their selection of website help; but as a rule it seems to me that the concept of an e-cigarette web trader employing a security consultant to closely examine their operation and fix the multiple issues that are always going to be there is absolutely foreign to ecig traders. To be fair, this is a universal problem and in no way exclusive to the ecig trade.
The issues you mention are common, and represent about 1% of the security issues you can find if you dig deeper. Some of the issues are fairly serious. I imagine that the basic problem is that someone unfamiliar with web trading thinks it is possible to 'have a website built' and then that's it - job done. No oversight, or upgrades, or audits, or other worries are needed...
Kind of like opening a main street vaping shop and forgetting about the locks, burglar alarms and insurance, maybe. But that's the web for you, anyone can do it.
