In one job, I found three exploits. I did the analysis / writeup, and a pull request, and they collected dust for 4 months.
I don’t know why. Maybe it was political (acquisition and certification). Maybe they didn’t understand or recognise the statistics that I used. Maybe they didn’t think it was a problem, since they assumed that no incidents had happened.
My impression is that the buggier the code, the less they care about security if it hit them in the face.