It seems to be a combination of both a lack of knowledge with respect to security and often a lack of respect. With many smaller companies, it is often ignorance. With many others, it is still too often the case that security concerns end up getting thrown in the "yeah, we should fix that eventually" pile of bugs.

Another issue is that security issues are often not visible to normal users. In the websmart example, a normal user looking for development services would have no idea that websmart has absolutely no clue how to do security. So, websmart gets the business, while the client gets a ticking time bomb, without even knowing it.

That, and most developers don't have any formal training in security concerns. I know I didn't when I first started - I had to pick it up as I went. It does not surprise me that these sorts of things keep coming up. Unless something changes - e.g. the majority of computer science degree programs include a course or two on security, I don't expect things to get drastically better.

That said, things like bug bounty programs help raise the visibility. And, at least many of the large tech companies do now respect security. We've at least improved in some ways as an industry.