Nonexistent penalties for gross negligence.
Quick analogy ... imagine if all building codes, regulations and liability for bridges were abolished overnight.
The free market would eliminate all bridge builders that didn't immediately perform a race to the bottom in terms of quality.
That's basically how IT infrastructure works. Security is a business/regulatory problem not a technical one.
If everyone providing vital IT infrastructure were required to adhere to strict quality control and quality assurance (testing) guidelines, all products subjected to random code quality spot checks, and held financially liable both before and after product delivery for any failure to meet these standards .... then all software projects would cost a lot more and take a lot longer ... but there would be a lot more security and reliability.
Anyway given my analogy, if bridges were collapsing every day, would you blame the construction workers, the engineers, the businessmen, the shareholders or the government for not providing and properly enforcing the proper regulatory framework?