He doesn’t have to do it, but not worth his time? Sending his code to product-security@apple.com in whatever state it is shouldn’t take him more than 10 minutes.
And yes, he may have spent millions in hours to find this issue, but that’s a sunk cost now.
Granting a license to software that a company has invested millions of dollars in takes less than 10 minutes as well, but that doesn't mean they are obligated to give it to anyone who might find it useful for free. Sunk cost is an orthogonal issue.
It's reasonable to expect compensation for your work. Caveat that they don't sell it to someone who will exploit it.
Building or acquiring something of value in the hopes of profiting from it later is a fundamental part of life. It is why we go to school, invest in machinery, develop products, do research, etc.
It's definitely not worth his time if Apple isn't going to pony up a bounty, especially if he could recoup his sunk costs easily by selling the exploit to a security research / defense contractor.
And yes, he may have spent millions in hours to find this issue, but that’s a sunk cost now.