On another website I've seen the suggestion that this is a problem especially for closed source products-- the priority is to get working product out the door often with generations of internal patches and bandaids. Since no one (except possibly hackers) sees these kludges, and the product works properly, the vulnerabilities can go on for decades.

Of course open source products have plenty of problems too, but they are exposed to a lot more eyes, and potentially, re-writes.