pull down to refresh

Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors?
Mainly vendors. They'll often drive towards profit and only do what's required or industry standard for their information security or the security of their products - no need to go above since for them that'll just be more costs and less profit. Think the commercialization of products selling security features with special names and marketing frills like 'military-grade' - no innovation when you are doing the same thing as everyone else.
iPhone sells their phone as the most secure when in practice an Android (Pixel) are both extremely similar in their implementations (default disk encryption, private messaging app, permission controls, a secure element etc.), just an example.
Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
A lot of the best results come from groups like this I think. It's likely why Apple and Google (Project Zero) have their own dedicated teams for these things too.