Why isn't it used routinely?
1. The HTTP_REFERER variable is extremely unreliable - it's trivially easy to spoof, and in addition, many proxy servers strip it out. Any bandwidth thief with any technical conpetence would already mask it out when fetching it for their site or email.
2. A slightly better way to ensure requests for images originate from your own site is to set up a mod_rewrite in your .htaccess script (this is how some sites were famously able to substitute the well-known goatse.cx image for their real images whenever someone tried hotlinking them). However, not all web hosts offer access to .htaccess, and even fewer webmasters know how to set it up. Finally, it too can be circumvented by a determined image bandwidth thief.
I might add that the best way I've found to protect images from bandwidth theft is to bury them as binary data in a SQL database, and embed them into a page on-the-fly using PHP. Thus, any access to an image requires a login to the database plus a valid session id. As to why this hasn't been more widely adopted: 1) it's a lot more work than just using <img> tags and 2) a lot of people probably haven't figured out that, or how, you can do it that way.