Re: "We've paid $63m over 10 years, $60m in the past 5"
No, it proves neither.
You’re assuming that the rate of awards is steady; it isn’t - from the article, 2016 would seem to be the inflection point on what sounds like an exponential curve of interest in these schemes.
You’re also assuming that issues are discovered quickly; they’re not - some exist for years before they’re found.
As per the article, what’s happened is that more organisations now run these bounty schemes, so more hackers have become interested in bug-bounty schemes in general, so there’s now a lot more applications on everyone’s schemes, and thus more payouts.
The (valid) criticism of this from Ms Moussouris is that throwing reward money at hackers shouldn’t be the only spending that companies make on software security, but these days, tech companies have lots of cash, but lack developers with security expertise, so it’s not surprising that this has happened.