When it’s not E2EE, maybe they are right. What’s the point of encrypting something that gets decrypted midway by an organization with hundreds of employees, many of them with access, not even talking about law enforcement and accidental criminals.
EDIT: I mean, illusion of security may be sometimes worse that lack of that little security which comes with it. Everything is complex.