Generally because Facebook polices Facebook (imperfectly, but the effort is demonstrated) and the damage radius is limited to Facebook users mostly. As long as the easiest way to avoid damage from the Facebook domain is "Don't use Facebook," the larger Internet doesn't need a mechanism to police it.
If Facebook became a trap that frequently hosted malware to strangers, the rest of the net would begin to interpret it as damage and route around it.
Generally because Facebook polices Facebook (imperfectly, but the effort is demonstrated) and the damage radius is limited to Facebook users mostly. As long as the easiest way to avoid damage from the Facebook domain is "Don't use Facebook," the larger Internet doesn't need a mechanism to police it.
If Facebook became a trap that frequently hosted malware to strangers, the rest of the net would begin to interpret it as damage and route around it.
"Might makes right" as they say.
There is no real way a normal person even can flag facebook.