[dwheeler]

I think that's easy: CSP is under-utilized in big sites because it can be hard to transition existing big sites to it. The URL you reference only focuses on "big" sites, which are pretty much always existing sites. Using CSP properly means removing all inline JavaScript and CSS, which is a lot of work and takes a lot of time. Note that this report doesn't give credit if a site uses CSP but allows unsafe-inline (see its footnotes for details).

That said, that report also notes that there is growth. A site I manage, https://bestpractices.coreinfrastructure.org , does use CSP in practically every page. There's one page where we had to weaken the CSP requirements, but that page doesn't include any data directly created by a user (so the risk is not low). The most recent version of CSP has some features that may make transition easier (once sites believe they can depend on it). There's reason to hope that CSP will become more common, but it's going to take time.