most of the time the developers are interested in fixing bugs for the sake of fixing bugs.
Analysing the fix to tell if there are security implications of the fix is a separate step that requires a very different mindset than just fixing the problem in the first place. There are many, many cases where an exploit has been published and many good security people have the reaction "they were able to exploit _that_ bug???". This means that the accuracy of any evaluation by the developer is low (and tends towards false negatives as the developer doesn't see a way to exploit that bug, even thought it is actually possible)
This results in kernel developers (among others) considering the value of spending the time to try and figure out if there are any security implications of a bugfix for any random bug to be very low
In addition to this, many of the same people consider anything that tags only some of the real security fixes as being security fixes to have a negative value, and this pushes the net value of tagging commits clearly to be a net loss.