Not because it’s hard work to protect themselves. But because it’s typically not a business priority (at top middle and via coercion and incentives, the bottom/workers too) to invest in security. Most of these big hacks are via well known threats that can be caught in typical good-faith auditing