There are *no* shortcuts if you want full privacy and security.
I doubt "Should we encrypt the session cookies" was even a question at these companies.
I'd guess the chain of "logic" the developer(s) would have gone something like this
"Almost no one knows what these are, so on one will look for them and beside, they are on the end users machine"
Forgetting that "Almost no one" would include any competent Black hat on the planet.
Good developers would have this on their "Stuff not to do when developing a security application" checklist.
Bad developers don't have a checklist to start with. Part of what makes them bad developers.