do people not realize that you aren't liable for fraudulent transactions with most credit cards?
It's not liability that's the issue it's the inconvenience of dealing with it. That's in a best case scenario.
in terms of actual PII theft, humans are much "better" targets than systems. Without question your data is more secure on a PCI compliant server than on a piece of paper.
Tell that to the victims of major-breach-of-the-day... TJ Max, Target, etc.