Here are the TOP excuses/reasons I have come across from people who would not want to fix a critical or severe security defect:
1. Functionality is prioritized before security.
"Doesn't matter if the application can be accessed by unauthorized users, but the application should be working as we need to GO LIVE !!"
2. Ahh !! We do not need to be compliant to that level of security.
"Lack of basic security measures required for an application."
3. The application will be replaced soon with newer systems. Why bother to change now??
"The system owners with no concrete plan of replacing the system in next phase pounce with this excuse for not fixing the defects at this moment."
4. The security solution is conflicting with the business requirement.
"Remember the requirement is to email the password to the user in clear text. Ahh !! a defect in requirement itself."
5. Inadequate reach of security risk to the customer.
"The software vendor realizes the importance of security and the risks involved, but unfortunately his Point of Contact at the Customer side is a non-technical guy who doesn't realize the importance equally and denies a change."