MS doesn't pay for anything they don't absolutely have to, and do all they can to maximize income. Recall their infamous charity donations of software which they can claim as tax deductions...

They don't pay their beta testers, why should they (in their mind) pay people to find security flaws? As long as it doesn't (seem to) affect MS's bottom line (and it won't as long as they have a monopoly grip on the market), they will spend as little as possible on security issues. If they have to have a line item for "security bounties", then it'll impact their P&L statement, reduce their net earnings, and reduce their stock value. It's not going to happen, IMHO.

Of course, your logic is impeccable, but MS won't follow it.

My $0.02.

Cheers,
Scott.