Don't try to blame the users. The whole situation is Ledger's fault, they either failed properly communicate the security model (making the customers believe a different thing for years) or completely abandoned their previous stance.