There's actually quite a lot of value in finding and fixing exploits. It's just that many companies prefer the illusion that $1k is a reasonable bounty for SQLi.