When you say software companies are you referring to all companies or just the big players like microsoft etc.
Oracle are secure by default these days. (I'm an ex-inmate of that asylum). But they make it possible to significantly relax the security requirements. And guess what - companies that can't afford an Oracle DBA relax the requirements to make the systems easier to maintain.
Another small IT company I worked for quite a few years ago developed their own reversible proprietary encryption method and for a number of builds thoughtfully shipped a small tool to reverse the password hashes because the support staff at our customers asked for it. (EM may have got involved on that one...)
There are clearly IT companies that make secure software - it's the nature of the computer security industry that you learn more about the software houses that ship insecure software.