> Take security a lot more serious than they currently do.

That statement doesn't mean much. How do you know they're not taking it seriously enough and still struggling with the enormity of the problem regardless? You could always claim any entity isn't taking security serious enough.

The alternative explanation makes a lot more sense: security is extremely difficult at Apple's scale, serving a billion consumers with complex and essentially always-connected electronic devices (not to mention their huge services business now). Devices that also happen to be one of the single most important attack points that there is.

Apple takes security more seriously than almost any other vendor in the entire world. It's in a small club of vendors that operates at the literal frontier of what computer science knows about building security into commercial products. No reasonable argument about what Apple can do start from the premise that they don't take the problem seriously.

They aren't above criticism. They do some things well that Google doesn't do as well, and vice versa; it would be good if everyone could level up to highest standards set by any in the club. It's totally fine to point these things out.

As for the bounty payout thing, I highly recommend you track down a talk from someone that has run a vulnerability/exploit market; there are a couple. The economics of selling vulnerabilities to the grey market are nowhere nearly as simple as they appear in ordinary message board threads. In particular: Apple offers a fixed, lump sum payment, where every market I'm aware of offers tranched payments that end when a vulnerability is burned.