You don't relock the bootloader because every lock/unlock cycle clears user data, and you might need to update recovery to update your ROM. Even if you relock the recovery, next step is the infamous "no sha1 signature found, flashing boot sector unconditionally" (which is a step up from md5!) TWRP has enough attack surface; android devices have very little physical security.