It seems more likely that they don't realize it's even important until they get hammered for details on what they used. Some PR person asks an engineer and he says "Yeah, it's fine, we hash/encrypt the passwords.." and only after they eventually disclose what they were using and have it explained to them do they realize they screwed up.