Because the format of hashed string ($2y$10$salt....) itself gives clues to hacker(i.e, who hacked the DB) that the encryption is done using Bcrypt algorithm and so he can easily hack by using password_verify() in php by passing parameters as his guess passwords.
Best How To :
There is no disadvantage in storing those BCrypt hashes directly in the database, none of the parameters are meant to be secret. Furthermore they allow to switch to a better algorithm (or increase the cost factor), without becoming incompatible with older hashes.
If those parameters would be hidden somehow, an attacker would have to guess them. But there are not this many possible values, a cost factor e.g. only makes sense between 9-13. If you really want to add such a server side secret, there are much better ways to do it. You could encrypt (two-way) the already hashed values with a strong key, then an attacker has to "guess" this key, which is impossible.