Because most ad networks and analytics providers don't tell you what CSP header to add to work reliably. Partly because ad networks can rotate in ads/resellers/scripts from hundreds of companies. Also, the resulting header can be quite long delaying the first byte of content (for each resource on the page).