Re: Massively in favour of this idea
It's essentially outsourcing the security testing to an external contractor, with the difference that you don't have to go to the trouble to engage anyone, mess about with contracts etc. From the point of view of software companies, even offering massive bounties is probably still much more cost-effective than to hire someone directly. The largest bounty was $75k, which might have taken months of research by a highly skilled hacker (ahem, security researcher). Hiring such a person directly would take a salary (if they even would agree to be employed, they might not like the idea anyway) at least double that at a cost to the company of close to a quarter-million a year. For a large, or even medium-sized, vendor, keeping a bounty pot of say half a million a year is peanuts.
Also keep in mind that anyone whether employee or contractor can to a greater or lesser extent be sucked in to office politics that can affect how and what they are reporting. It's probably better practice to have the bug-hunting done by total outsiders with no connection to the company.
Biting the hand that feeds IT
