I know people who use Chivo without problems, and even praise it, and I know people who say they've been "Hackeado" using Chivo. Of course, I also know people who say they were hacked but actually just fucked up using it.
Since I don't trust it and recommend other (open-source) solutions, even to people who use Chivo and like it, I can't really comment much. Intuitively I would suspect a lot of the problem is user error, which is itself a big problem. I know of people sending to the wrong address, and I know of people who just "clicked on a survey link and my money was gone."
It's also entirely possible there are vulnerabilites in the code. It's not like Salvadorans are known for their coding genius.
This to me is the equivalent of stupid things like the various wallet experiments Bitcoiners tried 10 years ago that led to hacker field days. When you get down to the actual work of adoption, this is the sort of problem that needs to get worked through.