Back when I was younger, I made a post asking about Qubes’ lack of deployments by actual entities:
That thread wasn’t as pleasant as I expected.
Three years later, I think I have a better answer, thanks to the most well-known cybersecurity company of this decade: Crowdstrike.
The reason why so much went so wrong for so many is because of homogenization, and while some of this is driven by the natural consolidation of things (e.g. how corporations naturally merge into megacorps, why the wealthy get richer, and why a few products have almost all the market share), another major factor is insurance.
In this age of breaches and liability, companies need cyber insurance to make sure one bad breach won’t sink the company. If I remember correctly, insurers have specific requirements on what they will insure and under what circumstances. This is how a large chunk of the corporate world ended up with Windows protected by Crowdstrike.
A company running Qubes is unlikely to get underwritten, partly because few if any insurers are familiar with the system, and also because there’s no extra assurance via Crowdstrike or some other EDR. That, and Linux is gaining a reputation as being less-secure, which I can see the argument for, so a system made up of Linuxes doesn’t exactly make insurers comfortable, despite the reality of Qubes’ situation (Linux’s security is underwritten by both Xen and compartmentalization).
A lot of the above is speculation based on what I’ve gathered from Hacker News posts and elsewhere. I would love to learn more about this if anyone has any insights.