Because the real world breaks OCSP checks often enough that browsers can't tell the difference between e.g. a malfunctioning proxy and an attacker; therefore, browsers don't hard-fail the checks, so attackers can slip past them. And in exchange for that theater, you're telling the CAs what sites you're visiting. It is a crazy system.