That's fine, but the plugin stopped using wp-content/backup/ (non-random directory) something like three years ago, before I took over development. It's a much different plugin today, so please don't use this as a reason to criticize it.
I don't think it's shoddy coding. It is a prime example of users not fully knowing enough about their server to protect their files. Had used stopped people from viewing folders without index files, there would have been no problem. They could have even changed the permissions of the backups folder.
Personally I have one e-mail account that I only use to store database backups. As an extra precaution, I also have my server run complete nightly backups. None of this requires in depth understanding of servers, just a basic understanding of cPanel or the admin panel your host uses.
wp-db-backup is installed on every site I own. It is a fantastic plugin.
I only found this security hole by accident and confirmed it with a google search. I'm happy it's helped secure the plugin.