Because software is a massive house of cards and its bottom layers are poorly-funded people and volunteer groups who can't conceive every possible security issue, don't necessarily engage in every best practice to secure their accounts and publishing pipelines, can't single-handedly provide adequate oversight of all their dependencies, and might fall prey to a targeted attack or tempting offer.

And then on top of that are companies building software and prioritizing new features over revisiting old code.