A recent survey by WhiteHat Sentinel contains some industry data on factors that inhibit companies from remediating vulnerabilities. Here is a summary of the research
1) Lack of understanding and/or responsibility for maintaining the code
2) Lack of knowledge, understanding or respect for the vulnerability
3) A third party vendor is responsible for the effected code and that vendor is unresponsive
4) Insufficient budget to address vulnerability
5) The risk of exploitation is acceptable and/or it is not a priority based on compliance
6) The solution conflicts with the business use case
The full report is available here.