Government-backed entities can also make promises that Apple's money can't buy. Who knows what kind of back room deals are made that involve citizenship, safe passage, dropped criminal charges, etc.
Big governments aren't selling their espionage services, so they're arguably less important to handle. Moreover, there is likely duplication in exploits between these groups such that buying private sector exploits and patching them will likely take a few government exploits out with them.
The problem is time rather than money - there are a finite number of engineering hours in a year, the only way to increase that is to add more engineers, but adding more engineers very rapidly starts costing time rather than helping.
I think the strategy suggested here was “why doesn’t Apple just buy all of NSO’s exploits”, to which I responded that doing this for all threat actors is infeasible. I think you’re talking about actually solving the security issues, which is blocked by things that aren’t just money, I agree.