"Bored mailman convicted for altering 8 ballot request forms" suggests that they are secure. Even if he wasn't caught, there should have been time for the ballots to be replaced.
Those claims have been shown to be largely incorrect, with even the foundation retracting the article. An unreturned ballot does not mean fraud, the registered voter may have chosen to vote in person or not vote in that election. Several states send ballots to every registered voter, and that's how the number reached 28 million.
