Because AD is a security nightmare. It is a collection of ~30 distinct protocols, e.g. bastardized versions of LDAP, Kerberos, DNS, DHCP, X.509 and a few RPC protocols that are all weirdly intertwined, with 30 year old designs. Every few months there is another CVE like 'oh, we forgot to checksum and sign that one field over there, please install this incompatible patch or you will have unauthed RCE'. Since all those patches make things break, there is a lot of vulnerable AD installations out there because most people need to be on "compatibility settings" that are insecure. And even the "secure" settings drop a CVE every few months.