Because the software doesn't know who is a thief and who is a legitimate user. It only track authentication errors.
It is probably legal but Apple has to be careful before implementing it especially if it is on by default.
For example, imagine you are drunk, you try to unlock your phone and fail (because you are drunk). The phone takes a picture of you and sends it to where you don't want drunk pictures of you to end up. If it is the default behavior, I think you can claim some invasion of privacy.