But you probably wouldn't take the time to write up a nice report and send it to Google either if they didn't pay. Or even try to find the bug in the first place.
(But yea, I think lots of people would sell exploits to criminals for enough money.)
Yeah I think this is the part that never gets mentioned. I'd like to think that most people wouldn't immediately go to selling on the black market, even if the pay is better it's just too risky if you get caught.
But if you don't pay people enough in the first place... then they're just going to spend their time doing other things that actually do pay and your bugs won't get caught except by those who are specifically trying to target you for illicit purposes.
(But yea, I think lots of people would sell exploits to criminals for enough money.)