Valid reason for them is they would have to spend money on supporting and maintaining cross signing. I can image it is much much cheaper to just store priv key.

So if they can get away with it they just do it, no one is there to stop them.