Because for the user account, people use things like "hunter2". But app specific passwords are long random strings unlikely to be reused by the user for another site.
My Gmail password is also long and not reused anywhere. My impression was that it's the app itself that Google doesn't trust, in which case, why trust it with that app-specific password? Can the app-specific password still get leaked and reused if the app is compromised?
