I’d say more that people don’t know or don’t care. If you ever install software by
curl http://... | sudo sh (and I see that recommended not infrequently) then there’s a whole host of trust issues at all levels of the stack that can just go wrong (DNS spoofing on the host name, an attacker replacing the contents of the installer at the network level, …); but, it’s super convenient. If you’ve ever fought with Debian or Ubuntu’s signed package system, on the other hand, there’s some deep magic incantations to get a signing key correctly imported, and if you get it wrong there’s a bunch of scare warnings that, 99% of the time, don’t actually make a difference.
With Docker, even if it’s “less secure”, there are a ton of tutorials out there on how to use it and do standard things, including some “insecure” things like letting the application code be injected from a host directory outside the container system’s control. I think most people don’t think of that as a tradeoff, unless you’re really a security expert. The choice between “popular, and securable, but with some not-quite-optimal defaults” and “totally obscure but more secure in tiny-detail ways” is usually pretty clear for most people.