Because even if a web framework had a multitude of security features, there's still so much a developer can do with the framework that would introduce unforeseen security gaps. This somewhat makes it a liability to advertise security. The first security breach of a system built with the framework would completely undermine one of the differentiating features of the framework.