Your observation, that a bug hunt will reveal lots of inconsequential bugs, but the few significant ones make it worthwhile -- well, that's entirely the expected result, surely?
Well, I could make some argument about whether it's generally worthwhile even for a few significant bugs... if they are significant, it's likely they would be found and reported in short order regardless of a bounty. And especially if there's a backlog of bugs, I'd say those should take priority over finding new bugs that haven't actually bothered anyone yet.
The security aspect is different though, because those are bugs that have a motivation to go unreported. And there's the 'papercut' type, where small annoyances go unreported. I'd consider it an good question whether bounties are more effective than simply paying an expert (or several) the same amount up-front to comb through things. The old crowd-source vs. out-source argument I guess.
I think the point he's getting at is that a lot of the bugs are not the ones that would trouble users (i.e. they only appear "in the lab"). So although it's still good to fix them, they are low priority.
The farming analogy is bad because it implies people are creating these bugs just to turn them in, which as everyone is pointing out, doesn't make sense and would reflect poorly on the buggy developer, so it would be self-limiting. Instead, I propose he should have said "imported" rats instead of "farmed" rats: instead of killing the rats in the city (the "high priority" ones), people are going out into the country and killing rats that weren't really bothering anyone. Eventually they or their descendants might make it to the city and cause a problem, so we're certainly not sad to see them go (environmental concerns breaking the analogy here
I could have sworn there was an article/blog post a little while back with statistics from a bug bounty program where most of the bugs were relatively trivial (found by automated methods, style consistency, etc.) or else quite obscure, with only a couple 'interesting' ones. But all I can find is this slashdot article, which I don't think is the one I'm thinking of. But I remember the author's summary was also that he still appreciated the peace-of-mind that others had looked through his code and that was all they had come up with, so still a net positive.
traffic was pegged and he couldn't access the Internet
meaning his own torrent download speed dropped since he had to share the link for a while
For a well-known example, the age-old bar tab should have invalidated Amazon's "One-Click". That was well publicized and still got approved. You can claim to be following some set of guidelines, but that just shifts the blame to whoever is making the idiotic guidelines that adding 'on the internet' or recently 'on a mobile device' is somehow a non-obvious extension of prior art. This is an ongoing problem of having the bar set way too low. I don't care whose fault it is, I just want it fixed.
But to counter your direct claims, what do you say to reports of the patent office clearance quotas ([1] [2]) The idea of hurrying up to clear out the backlog only inflates the problem of companies needing to file defensive patents on every trivial little thing, causing even more backlog...
And then there's the whole aspect of "when in doubt, approve and let the courts figure it out" (e.g. [3]) which certainly isn't helping.
A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson