It seems we need to take this seriously, any project that doesn't open door for legit hackers ( bug hunters ) to test-run their security or system and claim they are safuu are really not.
I expect many project won't meet this criteria.
but the truth is that hacking is extremely rare and most of the worlds population would not be able to get through basic security
While i agree most people can't get through basic security, it's not true hacking is extremely rare. There are many bot/automated script out there which can be used to perform hacking automatically. If you ever rent VPS where you make SSH connection with password (not public key), it's likely someone/something will brute-force your SSH connection.