And somebody looked, so clearly the bounty worked! But the cost to find a bug has practically nothing to do with the impact of the bug. The incentive is to find bugs, not a particular world ending bug.
I am absolutely OK with the idea that you'd stop using LastPass because they have a bug this dumb. I'm even OK with you believing that LastPass should pay more than other companies because they are so clearly reliant on external researchers to work on spec to find the simplest possible flaws in their code.
The only problem I have is with the virulently bogus meme that companies should pay more for vulnerabilities because otherwise the "black market" will outbid them. No:
* The "black market" does not in fact want these vulnerabilities.
* Finding a vulnerability and then not using it to to enter into a criminal conspiracy simply isn't praiseworthy, and reasonable people don't have to paid not to do that. It's hard enough to do this kind of work in a society that believes there's something sketchy about finding vulnerabilities at all, without the constant chatter about how maybe they could just make a living by enabling crime.
* The argument doesn't even make logical sense. If the vulnerability is easy to find and exploit (as this one was), then no matter how severe it is, it doesn't command a high price because you could spend less money to independently rediscover it. Moreover, there are surely many other vulnerabilities to be found in the same target. The economics of the argument are all wrong.