perhaps because they are shipped that way?
Microsoft ships servers with most security features set to low security,
because customers whine and complain otherwise.
for the case of clients, it's more subtle than that.
Microsoft chose the security settings in such a way that low security
was too low, and anything higher was too cumbersome to use, because
they didn't want people to turn off proprietary features like ActiveX
that they believed would give them a competitive advantage. They
provided the appearance of flexibility and fine-grained control, but
not the reality.