This is so obvious that the first thing I would do is look to see if they've addressed it in some way, instead of assuming incompetence.
If you have gone through the process of being charitable-first, instead of dismissive-first, then you would notice that they have explicitly spent engineering hours on this exact problem by using an SRP-based session key exchange for mutual authentication (and additional session encryption, in addition to TLS). [1] [2]
It's not easy to engineer for both security and usability, so I especially appreciate it when someone spends the time to accomplish both.
