pull down to refresh

Another way to think about this is that the 1 trillion dollar bug bounty will likely be a bad actor, not a good actor
This.
Also, if we solely rely on such bad actors, we will be blind to any kind of vulnerability until it was already exploited and thus too late. Security usually works in layers so relying on "we haven't seen anyone stealing bitcoin via a protocol vulnerability yet" sounds like waiting until all layers are breached before we fix something. It's usually a lot of small details that combined lead to catastrophic failure.1
We should already be alerted when some assumptions can be broken even if that doesn't immediately results in a severe vulnerability. But we won't notice if bad actors find vulns with low CVSS.
But it's true, everyone in bitcoin should be incentivized to put our due diligence in keeping bitcoin secure but I am not sure if that's as effective as it sounds.

Footnotes