Founder and CTO of WhiteHat Security, Jeremiah Grossman has offered ‘some reasons I've heard over the years’. In no particular order:

1 No one at the organisation understands or is responsible for maintaining the code.

2 Features are prioritised ahead of security fixes.

3 Affected code is owned by an unresponsive third-party vendor.

4 Website will be decommissioned replaced "soon".

5 Risk of exploitation is accepted.

6 Solution conflicts with business use case.

7 Compliance does not require it.

8 No one at the organisation knows about, understands, or respects the issue.

Grossman also asked for further contributions, which came in as follows:

1 Lack of prioritisation of the issues

2 More security scanning solutions are too expensive

3 Organisation ignored AppSec Consulting Service's industry best practice recommendation and tried to fix it their own way

4 Vulnerabilities are misunderstood

5  IT managers lose kickbacks from security software providers if they patch every hole

 6 There is no budget to fix the holes

 7 'It’s always been done this way'

8  No one asked us to change it for last 50 products we developed with same code, why you now!?

 9 No one will hack our product/site (its always others)!

More at: http://jeremiahgrossman.blogspot.com/