Zerodium might generally traffic in RCE because they're typically of the highest value. They would likely judge that to be of comparable value to some RCEs, if for no other reason because of the number of devices affected. Zerodium also isn't the only one out there.
Where did you report it, was it acknowledged, and was it ultimately fixed?
Having ran a large bug bounty program before, I can tell you a few things could have happened here...
* Issue was mis-triaged, or deemed to be very low impact - Maybe it depended on a very specific set of circumstances that was not expected to commonly occur. Usually these get silently routed to QA to investigate.
* Issue was completely overlooked - Unlikely, but security@ is a ticket queue too. Sometimes a misclick happens, or a spam filter picks it up. For every valid report, you can get 100-1000 unrelated messages.
* Issue was already known - Not good to silently ignore, but if it was already reported and in the pipeline, it probably got closed as a duplicate. Companies don't like to discuss vulnerabilities that are being actively fixed.
It was a long time ago (2013). Issue was fixed in the next iOS milestone release, but they gave no recognition at the time and no follow up besides a "thank you for reporting this" email.