Numbers, numbers...
"... security researchers find about 3 per cent and the rest are found by customers"
So they think it's OK for their customers to suffer find a 30% more vulnerabilities than they would find if a bug bounty program was in place?
Corporate cultures can be so-so, bad, terrible, and then there is Oracle.