You can turn that question around. Given the manifest possibility of such a act, why haven't more organizations taken steps to prevent them?
We keep hearing from the companies attacked and the press that these attacks are "sophisticated", but this attack started with a simple spear phishing attack. People use "sophisticated" to mean "more trouble than we were prepared for."
Comparisons to Stuxnet seem overblown and (in some cases) self-serving. Stuxnet was designed to undermine systems the perpetrator had no access to; it would work even if the administrators of the target system successfully locked the attacker out. In this case the administrator failed to secure the network from the attacker.
Not every persistent threat is an advanced one.