The other thing to keep in mind is that these companies are all in the lowest-cost tier of web hosting, which means the customers they're all fighting over by definition don't care about much other than getting the absolute cheapest possible solution. If they have a choice between a $9/month host with abysmal security and a $10/month host with robust security, I guarantee you 99% will go with the $9/month one. So anyone in these companies arguing for greater investment in things like security is going to have a hard time convincing management that it's worth the additional expense.

This tier of the market is also where the less-technical customers tend to congregate, so even if you have great security, most of your customers aren't going to be in a position to be able to appreciate that. You could argue that security is a potential marketing plus, but then you could get the same "pop" by just claiming you have great security without actually providing it. It's not like your customers are going to be able to tell the difference.

The other huge point is it's easy to get some regular Red Team penetration testing, it's quite another thing to get what the Red Team found in their analysis mitigated properly in a timely fashion.

I have several friends who are on Red Teams working for pretty visible info sec companies. The one thing they always harp on is going back to test a companies network or physical infrastructure and finding most, if not all of the necessary fixes have not been corrected from their last visit.

You're right, big companies do have regular testing, but you'd be surprised how slowly those holes and issues actually get fixed.