In consumer product development, the software side is often cobbled together by an intern or entry-level SW engineer, who basically slaps a bunch of vendor-supplied firmware or poorly configured open-source software together until it works. There is rarely top level direction on how the software should be designed from a security perspective. Management is usually directed by supply-chain people for whom words like "Rust," "buffer overflow," or "security" are not in their vocabulary. In most cases there is no budget to rewrite anything in a new better, language, and the amount of software and complexity of the moving parts is too much to understand let alone rewrite without a dedicated team of software/firmware specialists.

TL;DR management priorities, quantity/complexity of software involved.

Source: was that intern.