Because the businesses have big money!
We get tons of targeted attacks all the time to our senior execs and finance people. We stop most of them, but occasionally one gets through. We always tell people to confirm money transfers with a phone call if even the slightest thing seems off.
People have gotten tricked and wired millions of dollars to the bad guys, the stories are in the industry rags. You'll hear dozens of them every time you go to a security conference.
Government is an even better target, because they are often resource constrained to hire the appropriate talent to protect their assets, and there is constant pressure to cut costs from the taxpayers. I don't know what the City of Atlanta paid after their ransomware attack. but I'm sure it was a lot.