Software purchasers in a lot of enterprise IT are contractually and legally required to carry such insurance in the US. The problem is that the organizations usually impacted are similar to people refusing to pay for car insurance - ones that keep trying to skimp on security so much for legit budgetary reasons (small town police departments come to mind) or because they are institutionally so incompetent and covering it up (Equifax) auditors and actuaries would have trouble pricing their insurance correctly.