Why aren't they? Sure, it's an improvement, but we all know they're capable of doing more, so what's holding them back?
The real question at hand is "Is the normal public ready for that big of a step?"

Imagine them placing a stateful inbound and outbound firewall that has popups as to program control to the internet (a zone alarm clone). Think of how many people who use the Windows OS are not currently at a level of computer knowledge to deal with what will happen next.

AIM suddenly won't connect. MSN won't transfer files. Not all websites work now. IRC won't work. Video conferencing won't connect. A billion things that involve having a firewall and configuring it to allow certain programs and services, is beyond the reach of what the public is ready to handle.

So, rather than crippling the entire Windows OS userbase, they are little by little teaching them how things work. By showing them the beginnings of security, people will get "used" to that level.. thus allowing MS to add another leve lof security as time goes on so they can get "used" to yet another level of security.. and so forth and so on.

We know they could patch up a firewall to destroy the skills of zonealarm and kerio, so why not? Because they would rather begin the steps towards better security gradually rather than an enourmous drop of it and lose their userbase (in which the people who would know how to deal with it are a very very small minority.)

"A journey of a thousand miles or a thousand days starts with a single step" - Tao Te Ching