I doubt most small businesses could afford a bug bounty that would exceed potential illegal profits from selling an exploit to bad actors. I don't think the economics work at any scale. Could Google, Apple or Microsoft even outbid a nation state seeking to purchase an exploit?
No, but I think as long as the bug bounties pay enough to keep someone comfortable (along with added notoriety/resume padding with it), you'll have enough moral people choosing to reveal them to the companies rather than bad actors. Maybe that's naive. $1k bucks though probably isn't that number. More like $50k or $100k for 0-day level stuff.
States are not really the buyers to be concerned about. In many cases, the state already has tools that give them enhanced access to target data, all the way up to the authority to obtain and execute warrants. The people that are really worrisome are private malicious actors.
