Is Process Killing the Software Industry?
Passion isn't important. Cost and risk are important. The processes are put in place to (attempt) to minimize cost and risk associated with software development. Experience teaches us that cost and risk are very high when building software.
When it's your money paying for the development effort, feel free to structure it so that you can chase your passion.
I sympathize with the idea that this kind of bureaucracy can suck the life out of developers, but guys, this is work. If it were that fun, they wouldn't have to pay you to do it.
Is Paying Hackers Good for Business?
The value of finding security holes is in disclosing them to everyone, particularly the affected vendor.
The most damaging holes are the ones that only the bad guys know about. This doesn't tend to advance security in software, it just allows people to take over your machine without your permission.
Security research or incentivization schemes that don't include a built-in mechanism to promote disclosure of the discovered problems won't help much.