Because devs will not update their Frobnicator for seventeen years, choosing to solve leetcode instead. Eventually the Frobnicator that the devs are using will be so security vulnerable the fact that the source code exists in the package repository is itself a CVE. Because you're a dev, when this happens it's a funny story, but for Bob it's seventeen meetings and having to listen to Franz, the director of development chew out the entire team as if they're utterly incompetent. This means Bob just disables your access to the rest of the systems unless you have a correct Frobnicator, and doesn't care whether he blocks you or not - because you would be complaining to your director either way.

You might be exaggerating here. Anecdotal evidence and all but even the juniors I work with are mostly diligent in keeping their important tooling up-to-date.

Every repo at every FAANG company is full of dependency specifications pinned to versions several years out of date.

Eh, if it's policy then that's another thing. I was responding to your comment that puts the blame on the programmers.