That may explain some of it, but I've seen it all over, including in places I know that is not the case.

Mostly I think it boils down to a combination of a CYA mentality, risk averse managers and unskilled security personnel.

Making a decision that this Critical (potential) vulnerability does not need fixing is a decision that none of the above want to make and stand by, or have to explain.