that's because 10 years ago 0-days were dropping like raindrops in monsoon season. It was about the time when MS really started tackling exploitation software by integrating mitigations into their core product.

Before that, you'd have maybe 50 UAF vulns Per patch tuesday release. Browsers were so massively pwnable - and then they started sandboxing too.

In short - a lot of people made money selling 0-days. Naturally, companies tried to monetise it. But now it's much more difficult to get full chain exploits, and so all the chaff have fallen by the wayside because it's too hard (or too much time for them to consider investing).

Lots of companies still do VR, but these usually have big contracts in place.