Because large sites did not immediately appear with a heaped backend.
And they were built for years, and maybe decades already.
You can’t just take and throw away the old code, data, etc.
You still have to be backwards compatible.
Again, many still use hashing, but a banal enumeration will give out most of the passwords.
Which in the total mass is usually 123456, etc. See the top 100 passwords from any leaked database.
Also, some protocols/software require plaintext passwords.
The simplest example: authorization on mail.ru with a mailbox from another provider.
There is no other option than to store it in the open. Same thing with other mail collectors connected to each other.
And of course, human stupidity should not be underestimated, developers do not always think / know about security.

possible scenario:
we're shit-coded and trying to take off by accumulating "technical debt" in the form of a safety net, and when the site becomes large, the debt remains unpaid.
did not have time, forgot, postponed, did not
allocate resources for this and the debt remained.

A strange question, and even more so at the wrong address :)
Ask him from those resources, then tell us.
In general, here, as always - "Well, somehow it happened like that"