At least three problems, if not more (Score 1, Insightful)

It seems to me that this whole area is fraught with problems, and that the proponents of a "free market" are missing some of the history here.

#1 The history of paying for exploits.
This is a relatively new phenomenon, but historically where it has happened vulnerabilities have been purchased on the black market, by security research companies such as iDefense (now a subsidiary of Verisign). The reason that these companies did this is because these were (and are) exploitable, and were being happily used by the criminal community. Thus, in that situation, iDefense and other similar companies were able to acquire information about known and exploited vulnerabilities, and inform software vendors so that remediation could proceed.

While paying money to criminals is not necessarily something that fills anyone with glee, except the criminals of course, it was reasonably clear that the action helped "the greater good". The same is far from true in the case of building a free market in vulnerabilities. The obvious point is that it if a vulnerability applies to some particular product, why should we assume that the legitimate owner of the site or software product will be the highest bidder? It could as easily be a criminal.

#2 Legality - testing.
At least in the US, for downloaded software, the situation is such that the legality of testing software for vulnerabilities is moderately safe. For website on the other hand, the situation is that researchers are on rather thinner ice. Some websites do publish policies which describe the situations under which they would never push for prosecution, although many still do not. (Although, the recent discussions on this subject are clearly spurring more sites to do this.) The net for websites is that whether or not the testing activity is viewed as being criminal or not is in large measure up to the tolerance, or otherwise, of the website operator.

#3 Legality - sale.
For sale of vulnerabilities, if a researcher approaches a company and says "I have information about a vulnerability in your product/service, and I'd like $x for it", the answer is that any competent prosecutor could get a blackmail conviction. If you are a legitimate security researcher, I'd argue that the last thing you want is to be branded as a blackmailer. And, per point #2, I think you will find that as more and more websites release security testing policies, that those policies explicitly will not indemnify researchers when the results of the research have been resold or in any way used for profit.

#4 Business ethics.
Granted that most security researchers are not in fact employed by the companies whose products and services they are researching, why on earth would anyone expect to be compensated by that company? For example, if you show up at the office building of some company with a ladder and bucket and then clean all the windows, the office manager might be grateful, but whether or not you get paid for it is another matter altogether. Why should vulnerabilities be any different? Don't all workers have the right to expect the windows of their offices to be clean and bug free? ;-)