I assume one reason would be that some browsers have difficulties handling more than 1024, also this is not limited to browsers, also HTTP servers suffer from this (for example IIS <= 6 can only handle 128).
On the other hand increasing the key length on certificates will slow down the initial key exchange process (sometimes significantly once you get beyond 2048 bit) but have no effect on the strength of the encryption used during the actual session.
Key length is not necessarily proportional to security. A massive key on a crap cipher is still weak encryption. Of course though an unreasonably short key on a brilliant cipher can still be brute forced.
