Oh Andy, Andy, Andy.
"Why do people spend so long and so much effort into cracking encryption schemes?"
Why do people climb mountains ?
"I bet 99% of hackers couldn't do what they do off their own back..."
First up, that very much depends on what your definition of a "Hacker" is. I'm not going to get into that to deeply here, partly because I doubt that this proportional font will allow for a decent ASCII Venn diagram, so lets just make a simple (and largely imaginary) distinction between between, say, the Eric Raymond/Stephen Levy model, and, say, the Phrack/Cracker model* of a "hacker" and, pausing for a moment while you google that, assume you mean the latter.
If you were to read the paper describing this attack (I assume you haven't), once you've got past the "neat!" reaction, you would see that, in fact, it isn't all that sophisticated. The cleverest parts are the algorithms for detecting the key and recovering keys from partially degraded images.
Clever, but not rocket science. Basically, anyone with the relevant background in CS and math and the will to do so could come up with this. It's true that the many hapless sKript kiddies of the world who consider themselves 1333t d00dz because they downloaded the latest version of Nessus are going to find such things a bit beyond them, but unfortunately for your argument, the kind of people who craft real 'in the wild' malicious attacks are way past this level.
Lets say we assume a normal distribution for the skill level of the populace of "hackers", the point at which this attack could be crafted is somewhere to the left of the middle (IMHO). Obviously this is subjective, but at any rate, I suspect your 99% figure ifsway of the mark, let's be generous to the guys who crafted this and say <=50%, because some of it is quite nifty. That's still a big gap.
"...they all use knowledge that someone else researched"
Certainly your malicious geek will use any public sources of information s/he can get their mucky little digital paws on. But that's by no means the end of the story.
"Sure, an encryption system might have some holes in, but those holes are a *lot* more severe if someone takes the time to find them, and then make them public. Windows/Linux/OSX probably has some gaping security holes that no-one knows about and therefore no-one can leverage. It's only when some prat finds them and publishes them that they become a problem."
Some more googling for you, I'll give you the link this time :
And read this, particularly apposite as it's author is one of the foremost experts on crypto security :
Again, it's a long and tedious (and far from settled) argument, but in this context, there is far more risk to the users of such a system if the vulnerability is not disclosed, since they will continue to trust a system that is not providing them with security that they think it is. Contrary to what you seem to be perceiving there are a lot of capable people doing exactly this kind of research and not publishing anything. Exploits leveraging vulnerabilities that have never been publicly disclosed appear all the time. Want some numbers ?
I can see how you would have formed such an opinion, since the contemporary "Security Community" seem to be obsessed with winning their spurs by breathlessly publishing POC code***, some of which later turns up in real exploits, and there are some merits to what you say, but the situation is nowhere as clear as you make it out to be.
*These models are for illustrative purposes only, I am all to aware of their faults, so please don't bother. Been there, participated in the flame wars, got the kill files, over.
**Other opinions are available, but some of them are from Graham Clueless.
*** Some (by no means all) "security researchers" disclose to vendors first, with varying lead times, in order to give the vendors a heads up and a chance to patch the vuln. YMMV