Except that if everyone assume that someone would have done the audit, it would also simply mean that no one have done it.
Just do a research on reddit or quora (or google ofc): there’s always the same kind of formatted response.
This is a foolish - if not dangerous - way of thinking.
If I recall correctly, the worst offender was ActiveX, which blurred the lines between web content and a native application. And of course once ActiveX was deprecated, businesses would keep their employees stuck on increasingly vulnerable browser versions.