Because we can’t manually secure against something as predictable as ourselves.
There’s this thing about computer security, and it messes with whatever kind of security you try to employ on your devices. If someone really wants to get in, they won’t bother trying to guess your lengthy password, they’ll just force it out of you somehow. Yes, strong passwords and encryption work well for protecting you in the digital world, but it’s near impossible to withstand a (possibly brute force) social engineering attack.
A system is only as secure as its most exploitable attack vector. And it just so happens that if we need to be able to grant access to humans, that opens up a really big risk. Man is not machine, it does not operate perfectly. That has its own really useful advantages, but certainty is not one of them.
Until systems start observing and understanding the entire situation surrounding those they grant access (which is maybe not impossible), the weakest link can’t be made stronger.