To correct your analogy they are probably thinking more along the lines of:
"I just custom built a car but bought a knock-off car door that has a fake keyhole and no real locks"
"Hey! You've left your car unlocked! I got in with any key!"
"Why were you trying to get into my car?"
Of course the analogy breaks down even further when you consider that the "car" in this case contains stuff(sensitive user data) that doesn't belong to the car owner. Analogies are hard.
They are, and they're never perfect. But there's a simple question people should ask themselves when someone tells them their site is insecure: If this person intended to misuse this information, why are they telling me about it? And I think the analogy I offered also suggests this question.
"I just custom built a car but bought a knock-off car door that has a fake keyhole and no real locks"
"Hey! You've left your car unlocked! I got in with any key!"
"Why were you trying to get into my car?"
Of course the analogy breaks down even further when you consider that the "car" in this case contains stuff(sensitive user data) that doesn't belong to the car owner. Analogies are hard.