Basically a person acting in good faith has to now report the bug and publicize it while maintaining anonymity which makes the whole thing much more complicated.
This generates a perverse incentive - don’t report bugs, which then enables real criminals to continue to exploit the system.
If I found a leaking gas main, I would report it to the police and if nothing happened I would escalate it, until the newspapers were involved. The exact same principle should apply to security issues in computer systems.
We’ve seen two cases of this in Denmark in the last couple of years surrounding systems that kindergartens are using. The second one is currently (still) being investigated, but the first one was rightfully concluded earlier this year with the “hacker” being acquitted.
In both cases, it was dads of children in the institution that noticed the bugs when they were rightfully using the system and were ignored when notifying the responsible party about it until they “shouted it so loudly” that they couldn’t be ignored anymore, in which case they were reported to the police for hacking.
Links below are in danish, but they can probably be translated if needed.