Why do phishing emails have spelling and grammar mistakes?

This may well be for the same reason as many scammers rely on the tired old 'Nigerian Prince' strategy: by self-selecting for gullible targets, they can be more efficient.

In phishing, as in scams, sending the initial batch of emails is the easy part. The hard part is coaxing information out of the target (which can require a concerted exchange of emails). That can represent a significant investment of time.

As a result, it's really important to ensure that the people you correspond with may actually give you the information that you're after. It can therefore be advantageous to send a badly-drafted email, on the basis that the people who respond to that are likely to be gullible enough to be phished.

(I would probably draw a distinction between these broad, drag-net approaches and targeted phishing, where you're much more likely to see carefully-crafted and legitimate-looking emails.)

Emails with mistakes are probably from people who don't know English well enough to write it correctly.

Many phishing emails do not have mistakes and may be copied directly from emails sent by the company they claim to represent.

See this for more details: "Phishing" red flags and countermeasures

Spam filters work by looking for certain words. (among many other test)

If these words are misspelled, the filter won't recognize them.