Apart from the people who like to research security vulnerabilities for the fun of it, what other motivation is there? If you run a security company and finding vulns is good PR, or you're running botnets and making money from spamming and phising, or you're targeting companies for data theft, it seems like the motivations are almost always financial.
At least if you paid a bounty, you might convince a couple of the part time security researchers to make a quick buck or two - a little incentive might pay some dividends there. But more importantly, to say the motivations aren't always financial as though that's a particularly meaningful observation, that's exceedingly stupid and indicates a real lack of understanding of computer security in the real world.