The reason is because specifically in the case of crypto, people think that red teams that break into systems are supposed to be getting a financial reward in the form of some funded private key they find.

So, it makes it very hard to organize a bug bounty when people (or nation states) will just try to to hack and steal it without sharing their method of how it was done.