It is the common balance between ease of use and security. The most secure system I can imagine is a switched off system inside a physical safe in secured room in a strong building, with armed guards around. But to access it, you have to physicaly enter the building, go to the secure room, tell the guards why you are there, open the safe, switch the system on, do the job, and then revert everything, meaning switch off, put in safe, lock the safe, quit the room and the building. Phew...
Hiring human beings is quite expensive, so instead of having a bunch of employees each with a car and ready to go to the water treatment installations just to change some parameters, you just connect everything to internet, and then a single employee can control a number of remote systems. Furthermore, a rather good part of system maintenance can be performed remotely by the system provider, with again a serious money gain.
So serious organizations do an analysis of security risks, with the chance of occurence, the impact, and the cost required to eliminate of reduce each risk. From that point they can objectively decide to establish some actions to reduce some risks and accept others. Exactly like in real life scenarii, I have a lock on the main door at my home, to prevent casual bad guys to come in, but I know that if an important organization decide to break in, I cannot prevent it: the cost of securing all the issues (including the roof) is not acceptable from my point of view. So I accept that risk, and contract with an insurance company to partially transfer it.
But I agree with you on one point: when it comes to the IT world, many people for both their private and work life fail at doing that security analysis, and let sensitive information unprotected without even thinking of the possible impacts.