Decent security costs far too much - up front.
In a previous life I worked for a major UK Telco on many things including OSI software and PKI (Public Key Infrastructure).
In both cases IMHO the standards were exhaustively thought out by paranoid boffins who lived in an abstract world but were very good at theorising obscure threats and potential problems.
With OSI the standards were more or less ignored in favour of the RFCs developed on the pricnciple that we are all good chaps so let's work together as easily as possible.
Loads of adopters because it was cheap and easy.
Followed by years of retrofitting the things that the OSI specifiers had thought out but which weren't cost effective to implement on day one.
Implemented, obviously, because security weaknesses had been exploited and financial damage had been suffered.
With PKI the software to build a CA was readily available and almost anyone could issue certificates.
The big and horrendously expensive challenge was to implement the infrastructure in a secure manner so that nobody could spoof credentials and no unauthorised person could create valid credentials.
All the cost and hard work was in the physical security including network separation and in complex process and procedure to validate all applicants for certificates.
So no surprise that corners have been cut all over the place - it just costs too much to implement and police.
Until it all starts costing so much money that the problems have to be fixed.
Anyone hear the sound of yet another stable door swinging in the breeze?
I am puzzled as to why the regular in depth scans on the CA systems with industry leading AV software to check for virus and other malware attacks didn't locate the threats until after someone noticed the network doing bad things.
Or is this another thing that was judged too time consuming and expensive?
One further rambling on PKI - if everyone who had an email account also had to have a certificate to go with it and only signed email from a current good CA was allowed through major mail hubs then SPAM could be cut down enormously.
Cost a bit to implement though, wouldn't it?
I wonder when this will cost in?