It's not just about economically finding bugs...
Anybody with access to Oracle's software can discover vulnerabilities and I'm sure there's plenty of security researchers out there who'd be tempted to sell exploits to crimeware developers or worse, imo, to governments. Bug bounties at least offer another paid alternative.