Why? PGP works. (That alone puts it above its supposed alternatives.) It has existed for 30 yrs. That's 30 years of being exploited and patched.
PGP (GnuPG at least) is lightweight. I don't need an Electron dependency or a multi-megabyte chat room in the same application (address space too?) that supposedly keeps my private keys safe.
PGP is spoken by everyone, every programming language, having implementations on even ancient operating systems and architectures. Every email client worth its salt can use PGP. Emacs can decrypt and encrypt GnuPG-encrypted files seamlessly; other editors have plugins to do the same.
It sucks because the UX is so bad that people don’t use it, even when their lives depend on it. [0]
Even when they do use it, it’s easy to mess up.
The biggest flaw though is that in person key signing parties were never a viable or realistic thing for identity verification and web of trust based on that works poorly as a result. The use of multiple signed public social media accounts for identity instead as a way to fix this was Keybase’s main innovation.
For UX, even Snowden couldn’t get Greenwald to set up PGP and after multiple attempts Snowden eventually gave up and tried Laura Poitras with better results, the burden on the user is too high.
PGP sucks.