The only thing I would say is wrong is that malicious actors are heavily incentivized to work against the system.

Now, just because they may be acting outside of the system does this mean they are not part of the game? Should their incentives not also be considered?

Consider this: https://steemit.com/steem/@robinhood/offline-attack-on-steem-user-credentials

And this: https://steemit.com/steemit/@positive/warning-easy-potential-social-engineering-hack-steemit-hack-temporary-solution

(The latter is powered by the fact that Sybil attacks are so affordable on Steem.)

And the plethora of other threads on security that haven't seen the light.

The dictionary attack could have yielded thousands to an attacker, the social engineering vulnerability can yield thousands to an attacker etc

Why would they bother exposing vulnerabilities?

Unless the emotional value they extract from being a non-malicious user is high or unless their investment in Steemit is high, I see little reason not to attack the system.

Otherwise it would not be rational to favour the white-hat approach that carries lower expected value.