I'm not surprised at all. Almost every part and peripheral in STM32 has many silicon bugs, insane design choices, catastrophic documentation flaws, etc. In addition, they don't keep the errata sheets up to date, and ignore silicon bug tickets completely. Everything in STM32 screams "made in hurry", and "you are on your own".
It would be stupid to expect that the "security" features would differ from the general trend.
Although, I have a feeling that in 97% of the cases, no one really needs the flash protection, engineers know perfectly well it doesn't stop the copying at all, but the copying is still not going to happen because the device designed is most likely uninteresting; but the locking features need to be there for the clueless, non-technical middle management. In remaining 3%, security is really needed, and in those cases, I really hope that the said middle management is up to the task so that they understand it when the designer says resources are needed to harden the thing since some lock bits are completely insufficient.