Well, as a computer/network security professional, historically there are plenty examples of companies who have lied about the security of their systems (eg. "without your password, our flash drives cannot be decrypted" when in fact the key is not related to the password and stored in plaintext in a sector on the drive).

Would you be able to give some examples? I enjoy reading those types of stories.

Who has the decryption key?

In the ideal world, there is no decryption key. They should use a one-way hash of the encoded fingerprint.

They might want to do approximate matching, though. That could make it hard or impossible to do without the decryption key.

Which is also when we can start hacking it for fun and profit.