Because pasting doesn't work. Most browsers (like Chrome, IE) just remove the javascript: prefix from your pasted text, and some browsers (like Firefox) don't allow you to execute standard javascript from the address bar.
See the link in the accepted answer. If you try to paste in "javascript: blahblahblah", Chrome is smart enough to remove the "javascript: " part. What the attackers do instead is to tell the victim to type "j", then ctrl+v the rest "avascript: blahblahblah". Just tried it in Chrome, it goes through.