The requirements and budget of Google, Amazon and Microsoft are very different from a median start-up.
A simple closely related field: OAuth 2 token replay attacks. I auth against A with Facebook, A uses token to impersonate me against B. ISTR Google had basically the same bug. A median startup will not find that bug. Storing a random token in a database? Very likely they won't mess that one up. Also, if you do (let's say your randomness generator is MT as opposed to a CSPRNG), it's easy to fix, because you control the validation endpoint.
It is not a bug with Google but instead a problem with "B" as they choose to ignore the "aud" part of the token.
You can't say password based authentication is bad because some developers choose to store password in plain text. The blame squarely lies with the developer.
People implementing auth without willing to go a little deeper may hurt themselves.