Overhead, and fear of losing the key and being locked out feels like two valid reasons, I'm sure there are more I'm unaware of (probably should add lack of familiarity, hence the lack of knowledge).

Who will check the signatures when so few have signatures?

What dev thinks oh I can’t upgrade because of this error, stackoverflow says use this flag —disable-signature-verification so I do and now I can develop again

Any place with a devops team would not disable that.

For what it's worth, Debian packagers check signatures when downloading from PyPI.

To my knowledge NPM doesn't currently have a mechanism for signing by authors. Packages are signed by NPM itself on upload, which defends somewhat against repository compromise.