Public key infrastructure is quite complex and not many developers understand it enough to implement it right even on the client side. This leads to false security which is worse then no security (as it misleads people).
As an example I can remember a recent research which has shown that in many Android applications client software uses SSL/TLS but accepts any certificate without proper validation. This leads to possibility of MITM attacks and what is worse, the user (owner of the device) thinks that he is secured while he's in fact not.
And what is even worse, developers don't want to invest in security-related education as this doesn't increase profits.