Fossil OSS
A common reason is that at some point an open source component is embedded into the closed commerical software (possible with many licenses), but forgotten and never updated. Company bureacracy can also seriously contribute to this. In one organization I know, a legal clearance process is required for any included piece of OSS (good practice), but the clearance applies to a specific version only, down to the last version number digit. If you want to update it, if only to get minor bug fixes, you have to request another clearance. You can guess where this leads to...