I did my first conference talk[0] on this, and also have a similar list.
Security consulting is expensive and the value just isn't there at all for early stage companies. It's why I think Owasp top 10 should be required reading for founders.
As for my conference talk, the delivery was atrocious (warning if you choose to watch). I spent 5 minutes per startup and churned through hundreds. I didn't name names because there were too many bugs to report after a day or two of doing it.
I agree with you that early stage companies generally do not have much utility in security consulting due to its expense, but unfortunately "crowdsourced security" is not yet a viable replacement.
Once a company has enough funding that it has left the "early stage" point, there is almost no reason not to engage with security firms. This doesn't mean pay a firm $20,000 for a week or two of work, it means find the highest quality you can afford.
My own firm works with YC companies all the time and they are generally very happy with the work I do. I think it really comes down to what you offer. If you charge an unreasonable amount, have pushy salespeople, inflate the findings in your report or just view your job as handing off a report and demanding a bill, you're doing it wrong and not contributing value.
On the other hand, fairly priced security consulting with an eye towards developer education and working with the company to resolve their vulnerabilities contributes a lot of value. More security firms should try to help companies improve their security in the SDLC.
I do hope crowdsourcing security improves. I think it could be better, but it isn't yet. The results in my experience are mixed - for every bounty hunter who finds vulnerabilities you have another nine who just spam for pity findings on Hackerone and Bugcrowd. Most of the successful bounty hunters eventually just open up their own consulting shops or take very lucrative jobs with top companies like Google or Facebook.
I do wish there was a middle ground. I don't think it's fair for security consultants to work for free (which very often happens with bug bounties, even if they are very good). However, I really don't like how inflated the pricing has become at the largest security firms, which appears to be a side effect of having account managers, project managers, salespeople, "solutions architects" and finally the consultants themselves on each engagement.
I can break mobile apps too, but my workflow is less pretty for churning through a hundred companies, so didn't do anything mobile for the talk. The talk was 100% web based
Security consulting is expensive and the value just isn't there at all for early stage companies. It's why I think Owasp top 10 should be required reading for founders.
As for my conference talk, the delivery was atrocious (warning if you choose to watch). I spent 5 minutes per startup and churned through hundreds. I didn't name names because there were too many bugs to report after a day or two of doing it.
[0] - https://www.youtube.com/watch?v=wzrVYyouQTk