But I agree with the general premise. It's just that the picture generally gets complex - let me explain.
The way an ad gets served is this. Places that show ads (websites, mobile websites, in-app ad spaces) are inventory. Inventory is of varying quality - an ad on the front page of the NYT is costly, whereas an ad on housewiferecipes.com or something is dirt cheap. Small sites sell their inventory to brokers, who pack it up with other sites to sell on advertising exchanges (the firm I work for runs one of these exchanges).
On the other side of the issue, advertisement costs money. A firm wanting to run ads will contract with an online media agency, which will create an ad and then find inventory to place the ad in. The firm commits to spending X amount of money for Y amount of impressions (hits), so if the agency can find inventory that performs (hits whatever ad metrics required, such as 'time in ad' or 'number of clicks') while being dirt cheap, it pockets the rest. If multiple agencies bid on the same inventory, the price of that inventory goes up (and the website runner makes more money), so it's a game of scooping up cheap inventory on random sites at the times they're cheap.
Typically, a given source of inventory (a site) will contract out to a large number of brokers in order to guarantee that at least one of them will, upon request, be able to serve an ad in the space. 90% of ad networks vet their ads to run clean, because running a malware ad is essentially a death sentence if you ever want to run any kind of premium ad (the ones that make you a lot of money) or buy premium ad space (lots of premium advertisers will specify they only want premium space, like the front page of the NYT). Above-the-board ad networks will run clean, vet their stuff, and charge a higher exchange fee, whereas unscrupulous networks (many based in eastern europe) will charge a lower fee and let all sorts of shit go through.
What does this mean? An attacker with a crafted ad that can beat cheapo mal-detection can buy cheap inventory on a shady network, intentionally outbid other people and pay a minor premium for that cheap inventory, and get their ads wherever they want. The ad network will get shut down if it was really egregious (since running a malware ad can theoretically open you to litigation from other advertisers on your network), but for every network that shuts down there's another that can pop up promising minimal overhead and minimal vetting.
The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks, but this segments the internet into the haves (premium inventory, high quality sites, premium ad networks, premium ads, all expensive) and the have nots (mom and pop sites with mediocre inventory that nobody visits because of the chance of getting cancer from the shit networks they have to run). Beyond that, this problem is unlikely to go away - it's simply too easy to game the system and put whatever you want into many adspaces.