I lived in Spain and never understood how the DNI/NIE's weren't an easy vector for identity theft. You need to give the number to do the simplest things, and many people wanted to see the card (and possibly make a copy). As far as I know the smart chip on my card wasn't used once in 2.5 years. I suspect the digital certificates you could get from the government likely aren't as well protected by the general (non-technical) populace as they should be. What makes it harder for someone to steal identity via a DNI/NIE in Spain than someone could use a drivers license + SSN in the US?
(For what it's worth, I actually liked the national identity card, and didn't hear too much about identity theft - I'm just curious).
Things may have changed since you were here. Currently, there's additional digital systems built around the e-DNI and much of the administration -national and local- uses that for most of the things where you previously just used your DNI number and a smile.
The certificates themselves in the DNI are used only occasionally, but it's mostly your decision: you can stick to using the certificates and not activate other means and then you can't access a bunch of things unless you use the certificates.
But still, this is mostly for the public administrations. Private entities, such as banks or whatever, don't really make use of it and build their own systems (most of the time quite stupid ones [0]).
--
[0] Fortunately they changed it, but for about a year or so my bank decided that instead of sending a 4-digit code through SMS -which you then typed to verify whatever transaction you were doing- it was "more secure" to just show 5, 10, or 20 4-digit codes on the transaction site and then send you a single number through SMS, say "7", to select the code from the list.
And somehow this was applauded and got them some newspaper headlines as the bank investing the most in advanced security in the country or some shit like that.
Spanish ID card has multiple layered security in them. The obvious and difficult to commit fraud with is the chip which is just a cryptographic one, but you also have RFID in them (with I assume appropriate FNMT signatures), but also physically the patterns in the print, the different textures in different areas of it, holograms, transparencies and the like.
For most ID-requiring processes people undergo training to identify these security features, to the level of fraud that it's worth detecting for said process.
When the post office asks for your ID to retrieve a package, they won't check much, but I don't think it's unusual for banks to pass your card through the RFID reader and have a high res picture of your face on screen even if only to recognize you properly (btw you have apps to read such data).