And perhaps...
... some of the trials and tribulations undergone by security researchers reporting or trying to report issues, and associated changes and proposed changes in law and regulation, might also have contributed to a reduction in reports.
Some companies appear to want to generate an environment where a security researcher can be penalised or prosecuted for even looking for vulnerabilities. Some companies also appear to want an environment where any attempt to publicise (whether to a wide or restrictied audience not limited solely to a specific company) can similarly lead to bad press and the joys of the court, and where any effort by such researchers to claim reward for their effort and findings is somehow translated into being a form of extortion. Perhaps a reduction in the number of reports may be, in part, attributed to the creation of such an environment.
And if the only reward available is one found on the dark side of the street - it may not be surprising if some people are tempted to take their first steps down those streets.
Or not. I'm probably talking total nonsense. After all, I'm an Idiot :-).