Lots of reasons.
First, NSO sell the software, they don't do the hacking themselves (as I understand it).
Second, NSO in Israel, not where the crime (some variation of unlawful access to a device) is committed.
Third, it's likely that most of the time the government security services are the ones that purchased the software - they don't tend to get prosecuted, not even in high-functioning democracies
Fourth - and I've been struggling a bit with this - is that although Amnesty and Forbidden Stories were given a list of 50,000 phone numbers, I think that's pretty much it. So Forbidden Stories check a few of the phones they can access - easy, as plenty of journos were on the list - find Pegasus, and make the reasonable assumption that 1+1=2. They did that on some 67 phones I believe.
But some of the higher profile targets that have been in the press - Macron, Rahul Gandhi etc - are there because their numbers are on the list. But without a forensic examination of the phone there's no way of knowing if their phones were actuallly hacked, and I have to confess I'm struggling to join some of the dots to the conclusions being made in the papers: "Macron phone hacked by Morocco" is a long way from "Macrons number found on a list of phones, some of which are provably targetted by Pegasus, and Morocco the most likely suspects".
That said, I've only just found the technical analysis at https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/, so haven't read it yet. Maybe the links are stronger than I've understood.
EDIT: why not check your own phone? too?