The protection they rely on is holding the device like they should. If it's taken the PIN will be trivially bypassed anyway. Now I feel like an idiot for replying to what probably amounts to a troll, but you never know.
That's why I don't store extensive Contact information in my phone (that's what my personal protein-based storage is for), and ZERO really juicy information. My Apple ID is stored somewhere in the phone, but not my very non-trivial password.
That way, if my phone is lost and compromised, or simply compromised, all the data-thief gets is... wait for it... a PHONE.
BTW, this is also why I don't participate in any of the voluntary data-gathering that is disguised as "social networking". It's bad enough that I have a gmail account; but I don't use that for anything anyone would be able to gain any more interesting information about me than could be gleaned by looking at my grocery-store receipts. And it's bad enough that the last 4 digits of my debit card appears on them...
Bottom line: Stop trusting others' coding and/or algorithmic prowess for your security! Security begins by not storing stuff in places other than your brain. If someone wants to kidnap me and get out the fingernail-pullers, they can have any information they want, and in short order. But absent that, unless someone successfully does a fairly-complicated (I would imagine) MITM attack between my bank's secure website and me, there's little of REAL value that could be gained by examining any of my online data, or by stealing my phone, tablet, work laptop, or home computers. They simply don't HAVE the information. My brain does.
Has my method occasionally caused me inconvenience? You bet! But security and convenience are pretty much mutually exclusive concepts, anyway, right?