<soapbox> That's because we don't, collectively, think about hardware. And we don't think about hardware being buggy. And we especially don't think about "hardware" having inherent security flaws.
(OK, yes, the security folks who crossed over *into* IT do. They aren't auditors, for better or worse.)
A Cisco router is "software" enough (and has had enough bugs :-) that it crosses into our conscious awareness regarding security, but their switches? Nah. Mature product, all hardware (despite running an OS), no bugs. Either works or it doesn't.
Bullshit.
Show me a hardware-accelerated device and I can show you half a dozen ways it could fail unnoticed, (potentially) compromising security as it goes.
Notice that we install local firewalls on every PC but don't use ECC memory to guard against random bit errors. (I do, BTW - even on my PC. It's one small part of why I don't have a laptop.) A HERF gun is a better DoS tool than any virus or worm, by several objective measurements.
The entire IT industry has its head stuck up... you know where, in so many different ways.
Yet, this isn't surprising. Humans want instant gratification, a free ride, and the illusion of control. Those things are all way easier with software than with hardware. (Contemplate the difference between "soft" and "hard", if you will, for a moment.)
Do I expect this to change any time before the heat death of the universe? No. But I sure wish auditors took a wider view of the world.
"Never attribute to malice that which can be adequately explained by stupidity." - Hanlon's Razor (among other attributions) </soapbox>
-Adam