Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.