Yes, the bounty program doesn't have to be quite as high as the black market value, because most people would prefer to deal with the software manufacturer than with the black market. Good point, I should have mentioned it.
But regarding this endless hair-splitting of the use of the word "infinite", for heaven's sake, I said in the article, and about ten times since, I don't mean literally infinite. What I mean is, suppose the amount of security bugs that can be found for $100K worth of effort is... "very large". That means there's no point in you, as a white hat, investing $100K worth of effort to find and fix one of those bugs, because if an attacker was going to spend $100K worth of effort to try and find a bug, and the number of such distinct bugs is enormous, then they're probably not going to find the exact same bug that you found, and therefore you haven't increased the attacker's estimated mean time to find a new exploit.
On the other hand, that doesn't change the fact that if a particular bug has been found and released in the wild, obviously you should still plug that one.