The only reason which comes into my mind is that the providers are simply inexperienced or lack the proper ressources to block such attacks.
Careful, @AOKP, such words could be to your disadvantage
Denial of service attacks can be mitigated by rules like fail2ban, firewall rules, etc.
Distributed denial of service attacks are very different, and it is difficult to determine when traffic is legitimate vs what is a garbage request.
When you control all of the resources from server to pipe, then sure, you can spend time figuring out who is doing what and taking steps to block bad requests, but when you're using a hosting provider, you've got a bit of pressure to resolve the situation immediately, otherwise you're looking at hefty fines (AWS), or service suspension/termination (DigitalOcean).
We make it a policy to not accept high risk customers without a significant investment in a DNS level DDoS protection service, typically CloudFlare (or actually, Incapsula, since they allow WebSockets at a lower pricing tier).
In @AlexFung's case, investigating the nginx access log showed repeated requests from a single IP, with the user agent