I'm not suggesting that implication. The implication is that when you know someplace seriously botched security in one area, you should assume all their security is suspect.
The default most of us have to use is to assume when we use websites is that they are doing things right, so seeing no problem in one area (login passwords) doesn't change anything about our confidence in the rest of the site (credit cards). It stays at default.
Always assume they're doing it wrong, because usually they are.