Extremist answer: because the security industry is not about security, it's about psychology. People like to feel empowered to take responsibility for the security of their PCs, and an industry sprang up to sell them this belief. The relationship between this industry and making client PCs less vulnerable is tenuous at best.

Similarly, "compliance" is a ritual executives perform because they have found it to have a calming effect on each other. Any relationship between corporate security activities with "being less vulnerable" is accidental - mostly it is about generating reams of paper to prove that the ritual is taking place. When a security consulting firm sells an audit to a business, it's not about fixing what the audit finds, it's about the ability to say "Well, such-and-such reputable firm did an audit so we did our jobs." If you're clever you can charge a clueless SME $100,000 just to pay your technician $15/hour for a 2-hour Nessus scan and give them an auto-generated PDF audit report recommending that they turn on Automatic Updates.

A very, very small subset of the security industry is actually engaged in making software or business processes harder to exploit.

No one bothered to watch the watchers (most of us just uninstalled commercial anti-virus/anti-malware crap, or moved to other OSes).

Until now, when Tavis Ormandy decides to do this frustrating unpleasant work as a service to humanity.

Improvements in the security of Microsoft desktop operating systems is sucking all of the oxygen out of the desktop security marketplace.

3rd party browsers have also had an equal impact on the desktop security marketplace by competing with (and replacing) IE.

To quote Harvey Dent in The Dark Knight: "You either die a hero or you live long enough to see yourself become the villain."

Taviso has been on a rampage.

Yeah I forgot to mention Sophos. I'm glad we have him.

Don't forget FireEye