No, I'm not calling blackhats lazy. But I was reading Dave G's post about WabiSabiLabi, where he talked about the idea that by having an auction site that gives enough detail about the vulnerabilities, there's enough detail that a smart researcher can go out and find the bug themselves.
Which is absolutely true.
But it reminds me of when I was all excited about Napster, and I was having a talk with my dad. I was, at the time, an idealistic (if misguided) youth, and I was expounding on the whole "information should be free"/"music just wants to be heard"/"the future won't have a place for the RIAA" (okay, the last one's still true). And he made an incredibly good point that has stuck with me to this day:
"The point of the lawsuits", he said, "isn't to make music sharing go away. The point is just to make it hard enough for the average user that they'll use something slightly more expensive. And if the music can be offered in an easy format at a somewhat cheap cost, but it's hard to use the free way of doing it, most people will use the legitimate way."
Of course, this was years before iTunes came along, but my dad called that one - even I find BT, Limewire, etc. to be more of a hassle than they're worth. I'll happily pay $0.99 for a song.
And that's the point around things like Wabisabilabi - it's not that there aren't researchers out there who will go find the vulns themselves. It's that, at a low enough cost, most won't. I mean, think about it - if you're a company doing vuln research, are you going to spend a day of a single researcher's time (at $50-$70/hour fully loaded) to have them try to go find the vuln themselves? Or are you going to spend $500?
It comes down to a smart business decision - if you can buy it cheaper than you can build it, with less effort (and with less opportunity cost, because that researcher can be working on something else), you probably will. It's the same reason that Dave's tools and Metasploit are so popular - they allow the community not to have to go do it themselves.
If they can buy it cheaply enough, most people won't go to the trouble of doing it themselves. It just doesn't make sense.