There's an entire industry now of people that check known vulnerabilities (so they don't invent anything themselves) in software/packages and cross check this against outdated websites, at a very large scale.

They have no morals or security ethics, they barely even have knowledge, they just want to make money with the least amount of effort possible.

Don't ever pay them a cent. They're just as ruthless as spammers.

If there is an entire industry of people doing low effort work which then discovers vulnerabilities on a company's website that company should pay them, and probably fire some people they've already been paying for not putting in even that much effort to secure their own stuff.

Who is less ethical? The people reporting vulnerabilities and wanting to be paid for it or the companies who don't bother to invest in even basic security practices putting people's data at risk and allowing scammers and hackers to leverage those insecure systems to hurt others?

The vast majority of websites on the internet do not have a team behind them. That's exactly the reason why they lack maintenance.

So they're not intimidating well-funded companies, they're intimidating that nice guy that in 2003 build a website for the local bridge club. Volunteering his time and money to do so.

If it's easy, then more the danger, and more the reason to pay the white hats instead of getting robbed by black hats?

Presumably because there is some demand for compensation before disclosure?