Why is privacy not one of the pillars of information security?
Confidentiality is generally a privacy concern. It's just a more general term.
It's like saying animal instead of dog.
In addition to the definitions, you can confirm that by searching for synonyms of privacy and synonyms of confidentiality. You can use confidentiality instead of privacy, but not the opposite.
Firstly, CIA (confidentiality, integrity, and availability) are not comprehensive goals for information security. Other principles like privacy and non-repudiation don't fit cleanly into this famous triad. ISO/IEC 27000:2009 defines information security as: "Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved." (emphasis added)
While both principles say that personal or sensitive information should not fall into the wrong hands, privacy and confidentiality have slightly different definitions, especially in a technical application. ISO 27000 defines confidentiality as "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." The key here is "unauthorized." Confidentiality aims to provide a dependable way to share information only with those authorized and hide information from all other parties without leaks. This also includes information that could compromise other sensitive information, like CPU timing and power used during cryptography.
Privacy is both a cultural and legal standard that varies widely, and can include the right to be anonymous, the right to choose who information is disclosed to, the absence of intrusion, the right to conceal delicate information, and limitations on access to certain personal possessions (like my hard drive or in-home cameras). Not only do some of these categories not fall cleanly under the defintion of confidentiality, but there are some categories where information access is authorized but still violates privacy.
For example, medical information must follow strict privacy policies. If any of these policies are violated (e.g. unconnected doctors accessing medical records or failure to properly inform a patient how their information is being used) this would be a privacy violation but not a failure of the information security. If someone unconnected in another country hacked into the medical records, that'd be a violation of privacy and confidentiality. Similarly, a database could be set up in the US to allow parents access to college students' grades. While this database could pass security checks with flying colors, it would violate local privacy laws. This is complicated by the fact that confidentiality and privacy are colloquially synonyms. You could say that disclosing grades to parents is a breach of confidentiality, but from a technical perspective the confidentiality detailed in the security policy was not violated.
TL;DR: In infosec confidentiality states that sensitive information should only be visible to parties who have been authorized by the security policy, while privacy is much more complex and holds that sensitive information should only be shared with the intended parties. Access to information can still violate privacy even when all access must be authorized. This is ok because CIA is not comprehensive.
Generally we speak of privacy for personal data (it is mine, and I do not want anyone else to see it) and confidentiality for professional data (only authorized people should see it). In that sense, confidentiality is a generalization of privacy.
On another hand, IT security is a major concern for organizations (or it should be...) and professionals of IT security are mainly concerned with organizations’ security.
By the way, there is a 4th pillar even if it is generally not seen as being as important as the 3 others: traceability (who did what).