Report such a vulnerability to Google or Apple, and you get a one-time 5 digit reward at best.
Make a business out of it and sell them to governments, and you make 7+ digits.
I'm not saying that the right thing to do and karma may bite you back, but there is a huge market for it.
There's Zerodium, a business that buys vulnerabilities and sells them to governments.
Some of the bounties offered to the researchers, up to 2.5M$ for a single vuln: ZERODIUM - How to Sell Your Zero-Day (0day) Exploit to ZERODIUM
And a quote from their contact page:
Solutions and Services
To receive more information about our cybersecurity capabilities, please contact us using your official government/corporate email address to:
Note: Access to our solutions is highly restricted and is limited to a very small number of government organizations. We follow a very strict due diligence and vetting process for clients and we do not have any sales partners or resellers, meaning that our solutions are only available through our direct sales channel.