Lets keep with the analogy, as wrong as it is. If you discover a serious bug, you usually disclose it privately, allowing the maintainers to patch the problem before disclosing. When the embargo is over, the bug is already harmless. Why we do that? Isn't that security through obscurity? Why we consider unethical to just disclose serious zero day bugs that might even get someone killed, or thousand of script kiddies that would never discover the bug on their own can profit from it easily?

Security through obscurity actually works in real life. There are lots of people that hide all their lives in a humble way, only to get discovered as millionaires after they die. Because you don't have hundred, thousands of bots looking for "vulnerabilities" on everyone's life at almost zero cost and big potential profit.

Who says he has the money? Even if he really is who they say he is, why do you think he actually has that money? It hasn't moved since it was made, it was probably casually lost during testing and will never be recovered by anybody, meaning it basically doesn't exist at all.