Also, you're assuming that there's a market for rootkits/implants, and "tailored access operations", rather than incident responders and checklist reviewers, which is what the giant bulk of corporate cyber security involves.