Wouldn't you? I mean really, if you had spent a ton of money to develop a product, or even if you hadn't spent a lot of money but put your time into it, would you really give a crap about making sure the people who STOLE IT have the most up to date and secure version? I wouldn't. If you are going to steal from me maybe I can't stop you, but I'm sure as hell not going to upgrade your stolen copy.
If a security hole causes financial loss, why should one company be held liable for their holes and another one shouldn't? It makes no difference what the software is, how flawed it is in your opinion, how many holes there are, how easy an exploit was, etc. If you're going to hold one company accountable for flaws in their software, then you have to do it to everyone. Accountability goes way beyond browsers.
Don't mistake "have to" and "choose to". You CHOOSE to test your products with Internet Explorer. I thought you people were all pro-W3C and pro validation? If your page validates, then it will work in Internet Explorer - so you don't actually need to load up IE to test it out, the W3C validator does that for you. But even if there was no such thing as validation and even if IE didn't render the code the way the validator says it should, it's still a choice to make your page available to users of that browser - just like it's a choice for IE users to check their pages in non-IE browsers and make sure they work there too.
Some people choose to do it, others choose not to. Those who choose not to may be missing out on some visitors, revenue, etc., but either way you look at it it's still a choice.
I'm a Firefox user myself, but Internet Explorer is the number one browser by choice not by force. No one forces them to use IE, nor does anyone force them to use windows. It's in front of them and they use it, plain and simple.