Re: Whither the gray hats?
"But it strikes me that the best way to fix the problem is to accept that the ransomware gangs are doing valuable work, and pay them for the work - as long as they inform the right people instead of using their access to lock stuff."
There are already red team hackers who do just what you describe. The problem is getting the organization to implement the correct changes to patch the holes, which leads me to my next point ...
The only reason that having such a robust security response is necessary is because of criminal activity in the first place. It's like saying that someone who breaks into my house and steals my stuff is doing me a favor by highlighting the weaknesses in my home security. In fact, the only reason I need security is because of thieving assholes. In practice, it would be much nicer if I could just leave my door unlocked and not have an unsightly iron gate in front of my house, but I can't because assholes.
As an aside, I agree that there is a more complex discussion which could be had in regard to financial and other incentives which motivate the ransomware scum. On balance, however, I just wish they'd fucking crawl into a hole and die.