Issue is that for most projects CORS is set and forget. You don’t run into it once a month or even once a year - you run into it when setting up new project from scratch.

Many or most developers work on existing projects that have all kinds of security defaults set somewhere in the past and no one bothers reviewing those.