I think a bug bounty program would be sufficient motivation for security analysts to "be the hero" instead of taking advantage of security vulnerabilities. But those rewards would have to be as handsome as the alternative.