I find these takes so silly. Bug bunties are a rounding error in the companies budgets, even if they paid out much more freely. There are many I think much more obvious reasons orgs are slow on issues - everything from figuring what is an issue, trying to chase down impacts and more.
I think it's not a matter of not wanting to pay, but not wanting to have your departments "we had to pay someone to fix your security bugs" metric go up.
That's also likely why issues in the core product are taken more seriously.
