How can both be true?
People do not make threads about being content and happy. But some do make threads about something they would very much like or dislike. So if you have 1000 people and only 10 want those features, you might see a couple threads about the topic, but this is not saying that the other 990 would also like the feature or see a use in it. So while those few people making the threads might like that feature very much, all the rest pretty much would not care either way.
It is similar to horror games. Often seen in conjunction with tag exclusion. You see complaints about the horror games. Yet those games are still the most popular genre on Itch. So the complain threads, while visible, are actually the minority. As is often so in real life with non-gaming topics.
And basing decisions on the minority's whims is not a good idea. But if of those 1000 people 100 would take the effort to hit that feedback button and ask for that feature, demand would be high and the feature would be higher in priority of things to do.
It is pure deduction and speculation of course. There might be other reasons. But since the basic feature was developed in a day and not removed, I strongly suspect it is an imbalance in demand and difficulty to implement: too few people really want it vs. how much time it would take to implement it in a robust non hacky way. Also, rule of improvised solutions. Those hold up for eternity (there already is the feature, and removing more than one tag might not be necessary for many occasions. Or to put another way, you already can exclude horror games).
Also why do you exclude steam?
Because they have a big budget and a vastly different frame work. In the system they have, implenting exlusion probably was an afterthought not taking effort at all. It might even be an emergent property of the system they use. It is so hidden, that I did not even knew it existed, till I found discussions on Itch about this tag exluding thingy.
Plus, people act, like this feature is sooo common. It is not. If it is, name game hosting sites that have it. I tried to find some, I could not.
what is so hard to implement that in the site itself
I suspect it really is hard in the framework itch operates. Browsing for tags is urls. It is not a closed filter system. It is not even a closed system, since tags are freestyle. It might be a system to only efficiently generate a cross section of sets. Show item if it is in set A and in set B. If you introduce filtering to remove items from result, if it is in set C, you would have to make an additional pass at the results, for each filter, as otherwise you would have to crosssect it with a set of ALL-C. Which might be possible, but also possible would double the catalogue size.
So my guess is, they would have to change bits of the framework or do some ugly after process hacking that might work for single exclusion, but would be even more ugly for multiple exclusions.
are the hacked accounts being pulled from their servers or are users just putting poor passwords? Account hacking is not always a site problem and it is usually a user problem
Credential theft. Look up cookie theft. Not even 2fa will protect against it. If malware has access to your client's files, the browser's files are not protected against this, because windows architecture is crap for decades.
So if you are logged into your accounts, be it discord, itch or other things, like social media, the malware simply steals your session. Itch's hacked account detection is demsontrably not up to the task, otherwise the malware posted on itch would not be posted on hacked accounts so often. Or maybe the malware is even able to upload from the hacked client, making it near impossible to detect the hacking. I do not know. I only see the results: malware on hacked accounts. People download the malware, and since Itch is a legit site with lot's of amateur devs, some warnings might be ignored - if the malware even gets detected. Then the circle begins anew. You can read here for a recent example. The user did not understand what happened. And worse, the hacked account, where the malware was hosted, was a real developer with some games on it. On the plus side it looks, like the user did not get hacked. But this happens every day, and if Itch has free capacity of developers I would rather have them work primarily on preventing this, and secondary on projects like filter improvements.