Well known companies (especially those that pay out a bounty) typically receive tens of thousands of formal security reports a year, all from people hoping for a bounty and a place on the "Hall of Fame" list. It's very lucrative and competitive for aspiring security researchers in developing countries to learn information security this way.
Unfortunately, the most well known companies also average between 5% and 10% report validity (at the highest), which means that they sink hundreds of engineering hours into investigating spurious reports. In fact, there are security engineers at Yahoo, Google and Facebook who, despite it not being the entirety of their job description, almost exclusively fill their time by investigating reports.
To quantify this, if you estimate that about 200 engineering hours are spent on investigating reports each month by the security team (very conservative estimate), about 7% of reports are valid, and the cost of a security engineer's time is about $100,000, you quickly see that a bug bounty for the largest companies burns through millions of dollars a year more than the actual bounties paid out. These numbers might actually increase if you take into account the fully loaded cost of each security engineer, or their average salaries are higher.
I think it would be great if more companies embraced bug bounties, but to be very honest, the state of most programs' fiscal management is frankly a mess right now.
Second, consider that Apple does have a responsible disclosure program (complete with "Hall of Fame" honorable mention), and that many other "major" tech companies have excellent security without paying out bounties for responsible disclosure. Microsoft had a responsible disclosure program for a long time, and only recently introduced bounties (and the bounties are still for a very limited scope compared to the size of Microsoft's properties). Amazon also doesn't pay out bounties for responsible disclosure.
There is really no reason to not have a responsible disclosure program, but there are coherent arguments against having a bug bounty program.
It is fiscally irresponsible to invest too little in security or too much in security. Software security is a nonalgorithmic problem, and the best you can do is risk management.
Look at it this way: if you spent 300 engineering hours a month investigating spurious reports and the only valid reports you ever received were for cross-site request forgery attacks on non-sensitive profile actions, it does not matter what the ivory tower ideal of the bug bounty was, you wasted resources.
"Given enough eyeballs, all bugs are shallow" is like the worst case scenario for an algorithm. Sure, it works, but at what cost? What if you had an internal team penetration testing everything and a private bug bounty program? What if you exclusively outsource to NCC Group or Accuvant?
There is no hard absolute in this. It's generally good to have a bug bounty program, but you really need to be aware of the numbers. For example, Yahoo actually reduced the payments they were giving in bounties for the same vulnerabilities at the same severity because they did not anticipate how many would be found of that type.
The real reason bug bounties are not in place is mostly a combination of insecurity and arrogance.
Google and Apple both have top-notch security teams, but they also have different strengths and weaknesses. Google's relationship with the security research community is a definite strength.
(Can't comment on lcamtuf or the others on their team, as I've never communicated with them.)