Because it guarantees that a process will have a determinate user context. As you know, there are floating "NT_AUTHORITY" and "SYSTEM" contexts in NT that are only there so legacy code can run. Plus, there is no simple way to isolate everything executing in a given context in NT - you have to slog through all the processes and get their access tokens. NT was deliberately not built with a determinate user context so that legacy code would run.
Eric Raymond wrote a FAQ about UNIX programming, I think he talks about it in there. He points out that because of all the compromises related to legacy code, NT become practically impossible to make secure. The boundaries are "too porous" as he put it. In a real multi-user system, the user context is always known and determinate.
To give a practical example, suppose I want to immediately remove a user from a UNIX system. I remove his login, find his top-level processes and terminate them, and he's gone. In NT, you make a change to the user database, this has to propagate everywhere, his processes still run until they quit. Because there is no determinate user context, he fades away.