I think part of the issue is that there is no warning that the .js is not been used and some think that the module is PCI compliant.
Personally, I didn't know until i ran into this post a couple of months back as i was setting up blesta. at this point to be honest I stopped spending money on further site development and decided to wait for bootstrap and hope to see significant changes with this module + the support module that I am to checkout this weekend
If it doesn't exist yet, a warning should be made on the module of this or better yet update the module to use the .js to make use of this "loophole" while still open and still make the warning if needed + have the option to use the stripe checkout (https://stripe.com/docs/checkout) which will go trough stripe directly.
Just my 2 cents