Crypto bug bounties require specialized low level knowledge. Web 2 pentesting is akin to a qa checklist. Imo op is right that web2 bounties are commoditized.
More commoditized but vastly mispriced, especially consequential ones. but there are many laymen and seasoned programmers that would consider web 2 bug bounties to be very specialized, at the same time cosmos and EVMs have been around for at least 7 years now and many devs have only done that work - which is actually a problem in recruiting as many of these specialized crypto devs are quite junior
when Apple is going to fight tooth and nail to not pay you $10,000 while the black hat government contractor will pay $1,000,000 for the same exploit, the market is saying what the real price is and its at parity with what Web 3 is paying