So here's an idea: improve security by stopping the hoarding of 0days.
Built a company that buys 0days and doesn't immediately turn around to get them fixed? Too bad, this is a business model that leeches off everyone's insecurity and now deemed unethical like so many other seemingly-genius business plans. If you're that good, go find a different thing to do with your time.
Note that this applies to states too: in my book they're welcome to buy/incentivize 0day info, but only to then get stuff fixed ASAP. Any state that keeps a 0day "just in case" is failing to protect (among others) its own citizens.
The ability to inflict massive damage to a nations infrastructure is now part of modern weaponry. It's akin to asking militaries to stop buying weapons. We have basically split the atom here, we aren't going back.
If you don't want people hacking into your systems you need to go full Galactica, disabling networks and have stopgap measures on every critical device.
There's a great book that talks about this ecosystem (of buying bugs, vulnerabilities, and other 0days), among other cyber security related things:
This Is How They Tell Me the World Ends: The Cyberweapons Arms Race