I think your ignoring how some of these people get into this criminal line of work. Suppose you had been doing honest work as developer, or maybe even something like a pen tester. Suppose one day you discover a really reliable vulnerability you can exploit in some really really widely used software, maybe the SMB service on Windows or something. It works just about everywhere and gets privileged access.
Now you got choices:
Tell the vendor - who may be happy to hear from you so they can quickly and quietly patch it. They may even pay you a small bounty. The may also do nothing. They could potentially even try and prosecute you. I can tell you I WOULD NEVER CHOOSE THIS OPTION, little possibility for reward lots of potential for pain.
Publish it in the legitimate white had security world -- Probably the best choice. You'll be getting your name out there which can really help you. You might even be able to make some money off it directly by talking about it at the various *cons.. The vendor or project will be forced to fix the vulnerability which is good because that actually makes everyone safe. If you publish in the proper venue at least people who care enough to follow this stuff will be able to take some mitigation steps until a proper fix is available.
Sell it -- risky sure, but might not be all that difficult these days. Could be lots quick money. Awful hard to say no to a quick $50K shot in the arm. You certainly risk jail and could lose everything, but that calculation then depends on your current situation. If you have a good job and are living comfortable with some savings you'd probably be crazy to try it. On the other hand if you're sitting there wondering how your paying the rent this month and contemplating ramen noodles for dinner again; taking your chances on something like that might be pretty appealing.