Developers/hackers get direct access to the users private key. A single dev/CEO/CTO can hack all the funds. Everything is happening on chain and hence once funds are gone they cant be reverted (unlike banks)
