Yes and also the software industry has never been truly serious about security either: it's more of implied table stakes than an advertised product feature.

Also, customers outsource the risk to their vendors, so as long as there's someone to sue, nobody worries about doing it right. Ship it now and pay the lawyers later.