A core issue is that building Android ROMs is very difficult to do so in a simple and accessible manner. The build systems generally all require enterprise server level of memory and a build can easily take hours. Every device has a unique configuration, imagine if every brand of laptop ran their own variant of Ubuntu. For most "ROMs" that you find on obscure places like XDA, the builds by random people across the globe are a much greater security risk than good first-party updates.
