That is because browsers obey the false root certificate installed locally, even when they otherwise pin the certificate down. This is a deliberate choice, but that doesn't mean HTTPS isn't secure, it means that you can't trust a computer you don't control.
