My armchair theory is that there is a bit of hubris involved: in-house developers are hesitant to admit they've been 'bested' by a stranger on the internet, and so downplay or even just have blinders on against recognizing in the first place the severity of the issue. Though to be far, I think the flipside is also at times true - where the independent security researcher believes the anthill they've found is a mountain.