Not having the image provides even less certainty of security.
You assume that the image being there will make people less likely to check other aspects of the site, like the URL. But consider the average user. Spoofing and phishing attacks work because people don't check these things.
The security image is difficult to spoof and is more likely to clue average users in to attacks. Therefore, it is useful as a security device and is not worse than not having it.
Although the implementation might have been cheap, there's another factor to consider:
If a system provides a false sense of security, this almost certainly decreases the actual security of the system.
And putting effort (no matter how cheap) into something that decreases the overall security - that's not a good idea regarding risk management.