Because there is no real formal verification process for smart contracts, it's extremely easy to slip bugs into the contract code, the contract itself is generally immutable (can't fix bugs), and the effects of a breach are generally catastrophic and irreversible.
You are incorrect. Contracts are immutable but you can upgrade your application. There are different patterns, one where you make a shell contract that has pointers to contracts with actual business logic.
Also, there are patterns where the user needs to confirm that yes they want to use the new version.
> there is no real formal verification process for smart contracts
Not following here, instead of process you mean no requirement to do so? The process is pretty clear and simple, there's a few different frameworks being built for smart contract formal verification along with the traditional methods working fine.
What was the last bit of code you wrote or used that was formally verified?
Need more reasons?