“Most of the security teams working at software companies have limited time and resources, she suggests — and if their priorities and incentives are flawed, they only check that they’ve fixed the very specific vulnerability in front of them”

Link. The root problem is that customers can’t measure security or don’t care about it or have now power. So it’s not a priority for vendors, so they don’t invest in it. (macOS customers, for example, are simply stuck)