The question is broad, so I'll try answering it from a few different angles:
1. Why does no homebrew (let's assume the Homebrew Launcher here) run on firmwares like 4.0?
The answer to this one is simple: the *hax payloads (which the Homebrew Launcher runs on top of) requires things from newer firmwares to run, in order to provide more and better features, sort of like how commercial games (Zelda, Fire Emblem, etc.) typically require newer firmwares in order to use new features as time goes on.
2. I would've thought the lower the firmware, the more exploitable it is. Apparently not, does anyone know the reason for this?
It's true, but there's no reason to stay on firmwares that low (or below 4.x) anymore, since Nintendo added critical things, like the 6.x save key encyption change (
https://www.3dbrew.org/wiki/Savegames#6.0.0-11_Savegame_keyY) as well as home menu themes in 9.0 (
https://www.nintendo.co.uk/Nintendo...HOME-Menu-Themes/HOME-Menu-Themes-923157.html , this is listed as critical, because they ended up being a homebrew entrypoint!). That 6.x save key presented a lot of problems for people until 9.2 became the "golden" firmware to be on.
Finally, there were a fair number of homebrews that run via MSET on 4.x, but before CFW became mainstream, they were very limited since they all ran in an environment similar to A9LH: the 3DS OS wasn't running properly, and any homebrew code running was ran on the ARM9 (the console's security CPU). Luckily, CFWs showed up for MSET 4.x/6.x, meaning you could just boot into an emuNAND and have the latest firmware and still run homebrew while under the 3DS OS.
The only real reasons to be on such old firmwares anymore are either because you've had the console for a long time and never updated it, or to downgrade to 2.x and get your console's OTP for A9LH, if you decide to go that route in hacking it.