Mostly because it's a very effective way to ensure things get fixed, while gaining the "attacker" nothing. It's harmful, but so is finding 4000 insecure databases, sending 4000 notification emails, and having 3950 of them ignored (and that approach is probably more risky, so far as inviting legal trouble and expenses). It also neatly removes anyone else's ability to take the data.