Company makes HW that can potentially harm people, if someone logs in to it remotely and turns all lights green at once. It's possible to find the vulnerability in 15 minutes of getting remote access to the device without any prior knowledge, that gives admin access to the HW. Company rejects the report based on flmisy reasons via a lawyer, threatening with a felony prosecution.
But the person finding the vulnerability and notifying the company is the smug one. :)
There are electrical junction boxes all over my neighborhood, that direct power to the stoplights and residential buildings (?). They have a simple padlock, and could be opened in 30 seconds with a lockpick or bolt cutters.
Nobody tries! Not even to test it out! The question isn't "How easy is it to break in?", but rather "Should I be tampering with this?"
Your analogy breaks down immediately because the Internet isn't your neighborhood, it's effectively everyone's neighborhood, including the state-level bad actors mentioned above.
If someone could access those electrical junction boxes from China or North Korea, I'd want the locals finding the vulnerabilities first.
But the person finding the vulnerability and notifying the company is the smug one. :)