People still believe that there is such thing as 100% security. Everything is flawed in some way, for there to be 100% security there would need to be perfect security, which simply isn't possible. If someone is determined and has enough time and funding on their hands, they will find a way around your security. A better approach is to have reasonable security and to keep up to date with the latest threats through constant software updates and applying things such as defence in depth. What this does is it makes the time and effort required not worth it or impractical for your adversary. Cryptography does this, a 128-bit key can be cracked, but the only thing stopping us is the fact it just takes too long. Anonymity also plays a role, it is harder to attack someone who you don't know anything about.
This stands for Fear Uncertainty and Disorder. Sometimes, people will spread information that is blown out of proportion or just false which creates fear, uncertainty, and disorder about a particular OpSec practice or sometimes a protocol or a piece of software. For instance, a while ago, there was somebody who had been using LUKS on one computer and VeraCrypt on the other. Law enforcement was able to get into the LUKS encrypted computer and not the VeraCrypt encrypted computer. The person in question claimed to have been using a "secure password" and that suggested that LUKS wasn't secure, and in turn many began to believe that LUKS was not secure. The LUKS encrypted computer was actually using LUKS1 not LUKS2, which is quite easy to password crack due to its weak PBKDF2 parameters. This also means that the password that was supposed to be secure was actually not so secure because it was easier to crack. Tails in response to this decided to switch to LUKS2 and make an announcement regarding LUKS1 and LUKS2 and how it was harder and more expensive to password crack LUKS2 which used Argon2 instead of PBKDF2. If the password was longer or if it was a passphrase of sufficient length, this probably wouldn't of ever happened in the first place.
Instead of automatically believing or claiming is insecure, it is better to investigate why it didn't protect something as well as it should have, and then make changes accordingly. Sometimes things are insecure, and you should stop using them, such as 1024 bit RSA, other times something wasn't used or done properly, there are typically a lot of factors involved. Basically, don't take things at face value and do your own research.
When threat modelling, accounting for possible attack vectors can very difficult, you are going to overlook something. You can minimize the chance of overlooking attack vectors by studying how something you are using or trying to protect operates, the more you know the better. For instance, if you want to PGP encrypt your email, you should understand how email works. Once you know how it works, you will find more vectors such as the email metadata and the fact that PGP encryption will not protect the metadata of an email such as the subject line. You can then plan a mitigation accordingly, such as not using a subject line, putting the subject line in the body where it can be encrypted, or using a vague subject line.