I find this hard to believe, given the current state of the world. If it were really as easy as hiring a hacker for <$1M to hack any given company then hundreds would be hacked every week. There are an awful lot of businesses that would pay a sizable ransom rather than let their business be destroyed, or have a large amount of funds that can be stolen, or have valuable data.
I think the reality is more that most well prepared companies can be hacked, but that it takes a lot of resources, and that there are a number of companies with atrocious security that can be hacked with a moderate amount of effort.
First of all, tens to hundreds of companies are being hacked every week. The exact numbers are hard to exactly determine since they are not required to disclose the information. Here is a publicly available report on the state of ransomware in 2023 [1]. Of 3,000 respondents 66% were hit by a ransomware attack in 2023. So right there we have ~2,000 successful attacks which would be ~40 per week, just from the companies directly surveyed. The rates are consistent across company size, so if we assume it is representative of large companies then over the probably tens to hundreds of thousands of companies with over 50 M$ in revenue, that would be tens of thousands of successful attacks per year averaging out to hundreds to thousands per week. And that is just ransomware.
Second of all, 1 M$ of hacking resources is like one or two person-years of skilled hacking labor. The counterfactual scenario you are considering appears to be tens of thousands of companies being hacked for 10 M$ per for a total of 100 G$ of revenue per year. Do you realize what you are expecting there? You wonder why 18 year old hacking nerds could not bootstrap a 100 billion dollar per year business (more than the estimated revenue of the entire illegal drug trade in the US and similar to the revenue of Facebook) with no venture capital and train and hire 10,000 skilled hackers (nearly a entire Google's worth of software developers) in under 10 years? Give them a break, 10 years after Facebook was founded they only made 12 G$/year and you are expecting some kids with no support structure to do 8x that while bootstrapping. For the world to look like your counterfactual, they would need 1,000% YoY growth for a entire decade; that is ludicrous.
I hope it is now clear that the reason everybody is not being hacked all the time is because there has not been enough time to grow into that yet. They are trying really hard though. Look at that report again. The mean ransom payment doubled from 2022 and the rate of high end payments quadrupled. In some other reports (that are behind signup walls), the number of attacks has been tripling YoY and the mean payment/ask has been tripling YoY for the past 5-10 years. That growth curve looks like a wall. The 18 year old hacker nerds who started these criminal enterprises 10 years ago are now 28 year old business people with 10 years of experience under their belt and have access to real organized crime support structures. This is why the attacks are growing so quickly, this is a greenfield opportunity that everybody is rushing to exploit as quickly as they can, but there are real limits to training talent and bootstrapping. Give them some time, we'll get there.
I think the reality is more that most well prepared companies can be hacked, but that it takes a lot of resources, and that there are a number of companies with atrocious security that can be hacked with a moderate amount of effort.