No it isn't 'prefer'. It's that users don't care about this kind of security in practice, they only care about the kind of security from other people in their personal lives, which is more about privacy controls than actual security.

Because of this, they get no reward from the market if they actually focus on security. Instead they focus on things the market DOES reward them for, which is being fast, never being down, being available everywhere, for the cheapest price, with no annoying ads.

They only have 35 engineers, what they could do is limited. So security becomes priority #50 like for most start ups and only a few token hours efforts are put into place. That single AES key was probably implemented 3.5 years ago.

Every security researcher goes through this phase when it dawns on them no one gives a shit about security. It leads to a few years of depression, and then going to work for people who, for whatever reason, really do care about security.

"They only have 35 engineers, what they could do is limited."

Um, am I the only one that thinks 35 engineers is a pretty good size team to get a good amount of work done?

> Um, am I the only one that thinks 35 engineers is a pretty good size team to get a good amount of work done?

It takes extraordinarily good engineering practices and discipline to get 35 engineers working as well as you'd imagine WhatsApp could have.