The #1 problem is lack of education. A large number of software developers have had no formal training in software development. Almost all who HAVE had formal education don't receive any education or training in how to develop SECURE software.
I teach a graduate course at George Mason University (GMU) on how to design and implement secure software. So there are people who are learning, but there are many more to go.
For the most part, countering the OWASP top 10 doesn't cost more, so cost has nothing to do with it. At the high end of security requirements it definitely costs more, but stuff like parameterized statements (countering SQL injection) and using web frameworks that automatically counter XSS injection don't cost any more.
As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.