Exactly, these flaws feel like the kind of thing that pops up due to a conflict between product UX people and security people. Surely they had at least 1 engineer who was aware that unencrypted website URLs, EBC Mode, and not upgrading work factors was a bad idea. They just likely lost out to some product owner who thought displaying favicons, detecting reused passwords on the server, and not bother the user to upgrade on login were more important than security.
At big companies, too often do the people in charge of the product seem to forget what core product really is.
At big companies, too often do the people in charge of the product seem to forget what core product really is.