As other people said, I think the vast majority of churches do not hire professionals to do their sites. They "hire" a parishioner, who is probably a volunteer, and who's only experience with web design is dragging and dropping things into their free copy of FrontPage Express. They have probably never even seen the code they created, and they don't want to.
That being said, there are some pretty nice standards compliant church sites out there.
There is no reason they can not have a professional website if they hire a professional. Most simply choose not to. There is nothing wrong with having a parishioner volunteer to do the site, but if that parishioner doesn't happen to be a professional web developer, unless god intervenes, he or she will not do professional quality work, and it would be unrealistic to expect otherwise.
The same thing happened across the board though. Ever since WYSIWYG editors took off, the bulk of web design went from the hands of professionals to the hands of amateurs. Even a lot of business sites are horrible because the boss made his secretary or his 12 year old nephew make their company website.
Of course you can't drag and drop together a database application, but most of these types of sites don't require anything that sophisticated, so they are fine with leaving it the mess that it is. Even though they probably would benefit from some sort of CMS, they have no concept of automation and dynamic systems. They don't even have enough knowledge yet to know what they don't know.
What's the security issue in visiting it? Aren't websites are supposed
to be visited.