Major reason will always be support burden. For http to work reliably you need to put clients into DMZ anyway. If you let computer illiterate end users operate in DMZ you will end up supporting them anyway, because in the your network will be at risk of depeering/blacklisting. Supporting http behind NAT is again significant support burden that costs actual money while your competitors offer service access cheaper. It makes sense to not only not support http behind nat but block ports altogether for retail and offer proper liability waived DMZ access under enterprise plans.