Because it is hard.
(Disclaimer: I used to work for a company which bid unsuccessfully a few years ago to fix up the Christchurch system)
Probably the hardest part is the decentralised nature. How much money do you have out there? If this card claims to have been topped up by a terminal but you have no record of that, either the terminal is slow at reporting back, or the card is lying. By the time you know, it's too late. We have no way of communicating with a card except when it happens to be brought on bus, and at that point we don't have an internet connection.
Second hardest is probably balancing trust with flexibility. We want to enable internet top-up, but how do we get the money from an authorised transaction to your card without forcing you to buy a USB to NFC adaptor? We don't want to trust the card, or at least we want to test it for hacks. We don't want to trust the terminal, a single break-in there could cost a lot. And most of all we need to be constantly worried about primary keys - a break-in to signing keys would destroy everything.
Third hardest is the cheap hardware. Customers expect to get bus cards for free, which means you can't afford more than about $5 per card. Also with a couple terminals per bus you need perhaps a thousand terminals in christchurch - many of which will only be used a few thousand times in their lifetime and so they can't be expensive either.
Fourth hardest is probably the response time. You have roughly 200ms from card presence to approve/reject. That is not enough time for complicated checking - it is enough to check the has of a card number against a blacklist, or to run a challenge response protocol, but that's about it.
That's just off the top of my head and gives a rough overview. These are largely solved problems, but I can understand why a place like Christchurch with a population of 350k, many of whom don't use PT, would elect to stick with a broken system until a national standard is rolled out.