Why are many web APIs so bad?

The default “setting” does indeed prevent cross origin requests, but the API can also easily set its server to accept cross origin requests.