Maintaining Cybersecurity Insurance is a big deal in the US, I don't know about Europe. So vulnerability disclosure is problematic for data controllers because it threatens their insurance and premiums. Today much of enterprise security is attestation based and vulnerability disclosure potentially exposes companies to insurance fraud. If they stated that they maintained certain levels of security, and a disclosure demonstratively proves they do not, that is grounds for dropping a policy or even a lawsuit to reclaim paid funds.
So it sort of makes sense that companies would go on the attack because there's a risk that their insurance company will catch wind and they'll be on the hook.
It's not generally good financial advice to pay the overhead of an insurance company for costs you can easily pay yourself (also things like phone insurance, appliance warranty extensions, etc. won't make your device last longer and the insurer knows better than you what premium covers the average repair costs plus a profit margin). If you have a decent understanding of where the line is between vulnerability disclosure and criminal activities, fronting any court fees and a little bit of lawyer time (iff you can afford these out of pocket) until you're acquitted should be the better route, assuming anyone even ever takes you to court
Heh, what insurance company you use should be public information, and bug finders should report to them.