Distributions couldn't distribute qmail in the past because the license agreement made it impossible (or at least required such stupid things that no one in their right mind would do so). Its license became public domain in 2007, and I suppose would allow distributors to do sane things with the packages, but Postfix had already supplanted Sendmail as the preferred MTA on Linux and nobody really cared about qmail...since qmail isn't demonstrably more secure than Postfix (and both are maintained by well-known and well-respected security researchers).
And, to be clear, most distributions no longer use Sendmail as the default. Postfix is the default on RHEL/CentOS/Scientific Linux. exim was the default in Debian for many many years, not sure if it still is. Postfix is the default on Ubuntu, I believe. I can't think of any distros for which sendmail is the default MTA.
Postfix has a marginally poorer security track record than qmail does, but Postfix is the saner default choice for normal users. Both of them are head and shoulders better than every other MTA.
I would argue that this is at least partly because Postfix has a larger surface area...it does more, and thus, should reasonably be expected to have had a few more run-ins with security problems. Unless things have changed a lot over the past several years, qmail isn't capable of even functioning in a number of modern email environments, without significant patching.
Once qmail has been patched up to modern MTA standards, it no longer has the pedigree of being built and maintained by djb. I don't know the people who maintain the huge patch sets for qmail...maybe they're good. I know Wietse is more than competent.
But, that may be what you're getting at with "Postfix is the saner default choice for normal users". We support all of them (Sendmail, Postfix, qmail, and exim) in Virtualmin to varying degrees, but we configure Postfix, by default, and very strongly encourage its use over the alternatives (mostly because we know Postfix so much better, and because so many more people use it). About 95% of our users stick with Postfix, though we do have some users of all of the others.
And, to be clear, most distributions no longer use Sendmail as the default. Postfix is the default on RHEL/CentOS/Scientific Linux. exim was the default in Debian for many many years, not sure if it still is. Postfix is the default on Ubuntu, I believe. I can't think of any distros for which sendmail is the default MTA.