The primary reason most companies haven't fixed their vulnerabilities is due to lack of resources and budget. Companies often lack the necessary resources to dedicate to patching their vulnerabilities, and with limited budgets, they may not have the funds to invest in patching resources. Additionally, companies may not be aware of the potential risks associated with leaving vulnerabilities unpatched, or may not have the expertise to assess and address them.