With iMessage, your account isn't (solely) linked to your SIM card. It cannot be, because iMessage also works on devices without SIM cards (iPod Touch, Mac).

I do not think you can claim it fails because it still works after removing the SIM card. You cannot claim that SMS fails on the security front because you can receive SMSes without logging in to iCloud, either.

I did not login into his iCloud account. How would I? I did not have his apple id credentials.

How is the fact that it works over WiFi a security issue ?

Because I received messages that were not meant for me. I got this iPhone from someone who removed his SIM card from it. And then I received messages for him that should have been delivered to his phone (the phone he put his SIM-card in).

Under settings on the iPhone there's the option to completely wipe the phone. Before you give your phone to someone else you should do this. Otherwise you were still logged in to his iMessage account.

It was freshly wiped before he inserted his SIM. He just used the SIM to activate it with iTunes.

The security problem here is the person who gave you the phone thought removing the SIM erased all their personal data/accounts and it definitely does not.

He did not enter any personal information into the phone. We just used his SIM to activate a wiped phone.