New companies with immature systems, old companies hiring young developers doing side stuff off in their own world, bad default configurations etc
Most importantly there's a large amount of highly incentivized people probing constantly at mass scale. These days it's very easy to scan the internet (github, IPs, domains, etc) for information and "bad S3 configuration" detection is just a script anyone can use. No advanced programming skills required.
S3 (and most of AWS) is terribly designed, so you end up googling for access policies that likely work when you are trying to get a new project off the ground. That policy may not be right for prod in the future.
