The main reason for this kind of thing is simple: the people setting the priorities and development schedules at most web sites don't even know what security is. They think security is a checkmark on an application server feature list, not an ongoing struggle requiring diligence from all programmers.
In my experience, when it comes to QA there will be 50 bug reports about that broken spacer GIF you forgot to copy over to the web server but zero mention of things like session hijacking, cross-site scripting, etc. The only exception to this was when I worked at a site that had been attacked before, and people took it seriously enough to hire an outside security consultant for an audit when a new system went on-line.
The other problem, of course, is programmers who don't know or don't care about security. There are lots of people employed building web sites who have a very rudimentary knowledge of what they're doing, and this is true on any of the popular development platforms. I often talk to Java programmers who don't actually understand the HTTP model or even the basics of how forms work. They've been working with toolkits that abstract it all for them.
Ultimately, I suspect most companies will not be secure until after they have been attacked. The majority of web sites out there are ripe for exploits to anyone who actually cares to break them. Of course a single PC on a good link could take down about 99% of them just by running http_load on the right URL...