Because it's slower and has larger keys for equivalent security levels. There's growing concern based on recent advances that RSA and DH may not be as secure as is generally thought. [1]
Despite the unease certain people (like Schneier) have with ECC in general (it is more advanced math and fewer people understand it well), and NIST curves in particular (did NSA choose weak classes of curves?)-- based on public knowledge, there are advances in factoring and the discrete log problem, while there's no similar progress against ECDLP.
If NSA knew some attack against ECC or weakness in p256, p384, p521 curves (i.e. anything which doesn't apply to RSA), that would mean they sabotaged the security of Secret and TS information that's allowed to be transmitted using NIST suite B, which uses ECC and specifically those curves. Military comms between NATO allies might also be using Suite B.
Is it possible that NSA has gone completely off the rails, only cares about the security of their own ECI (which I think tends to use their Suite A algorithms)? Are they willing to throw all other cryptography users, including NATO military comms users and other parts of the US Government, under a bus in pursuit of their ability to weaken generally used encryption? Perhaps, but I think it's unlikely. Speaking of which, does GCHQ use Suite A algorithms, or Suite B (including standard ECC and NIST curves), or something else? And the rest of the Five Eyes? That's something that unreleased Snowden documents probably speak to.
Despite the unease certain people (like Schneier) have with ECC in general (it is more advanced math and fewer people understand it well), and NIST curves in particular (did NSA choose weak classes of curves?)-- based on public knowledge, there are advances in factoring and the discrete log problem, while there's no similar progress against ECDLP.
If NSA knew some attack against ECC or weakness in p256, p384, p521 curves (i.e. anything which doesn't apply to RSA), that would mean they sabotaged the security of Secret and TS information that's allowed to be transmitted using NIST suite B, which uses ECC and specifically those curves. Military comms between NATO allies might also be using Suite B.
Is it possible that NSA has gone completely off the rails, only cares about the security of their own ECI (which I think tends to use their Suite A algorithms)? Are they willing to throw all other cryptography users, including NATO military comms users and other parts of the US Government, under a bus in pursuit of their ability to weaken generally used encryption? Perhaps, but I think it's unlikely. Speaking of which, does GCHQ use Suite A algorithms, or Suite B (including standard ECC and NIST curves), or something else? And the rest of the Five Eyes? That's something that unreleased Snowden documents probably speak to.
[1] http://www.slideshare.net/astamos/bh-slides