They are used. A lot of the comments in this thread that are about NPM specifically are strawmen, since it has been standard to use lock files for years.
You could still have an issue if you need to update a dependency, for security or other reasons, since it could bring along a bunch of updated sub-dependencies of its own (and sub-sub-dependencies, and so on). But that problem is not unique to NPM and exists in any language or platform that includes package management.
How is it that people aren't doing that today? For the sake of security and stability, lock files should be used.