Because you never reach any goals that get verified if you develop for security. It is like you only getting punished if the security is weak (you get exploited), but you never know if the security you implemented actually prevented a threat. So there is no real rewards.

Would be interesting to know if there is some kind of reward model out there that solves this.