One of the biggest reasons isn't just the licensing and individual system, but the supporting systems and processes: certification and accreditation processes for security, ability to only pay for one year at a time due to legalities of budget constraints, and items such as mandated ediscovery systems that are tied to the OS and systems architecture they are designed for using. It takes a great deal of experience, planning, and foresight to decouple services and make removal and swap out of key pieces open and even possible to change out. Add to that active defaults by vendors that encourages lock-in as well as the failure to draw in expertise that would survive in such an environment, equates to mediocrity in IT.