[trox]

Because properly securing your systems is hard, especially if the attack surface is large. The attacker only needs to find a single weakness. Furthermore, you don't hear from all the teenagers trying to find vulnerabilities across the web, just when there's headlines.

[protastus]

Yes it's hard and also not done well. Most companies don't fund security as much as they should. At best they'll hire an occasional consultant for the purposes of compliance with a supplier agreement or industry regulation they have to meet.