The problem is time rather than money - there are a finite number of engineering hours in a year, the only way to increase that is to add more engineers, but adding more engineers very rapidly starts costing time rather than helping.
I think the strategy suggested here was “why doesn’t Apple just buy all of NSO’s exploits”, to which I responded that doing this for all threat actors is infeasible. I think you’re talking about actually solving the security issues, which is blocked by things that aren’t just money, I agree.