They probably just don't know how. If they had professional risk management processes in place they'd be using multi-sig at a minimum