Not really. That is only looking at the demand-side of a supply-demand relationship. Buyers will obviously prefer a cheaper vulnerability with a comparable effect to a more expensive one, so if vulnerabilities are easy to find at a price point where it is profitable to sell them at $2-3MM, then any finder who charges a lower price than others will be more attractive to buyers. This selling competition can easily drive the price down until it is much lower than the potential upside to a buyer of $10MM with a lower bound of the actual cost of discovery (which I already postulated is low enough that $2-3MM is profitable given that Zerodium is able to acquire vulnerabilities for that price) since anything less than the actual cost of discovery is unprofitable. This is the same reason why water is cheap even though it is absolutely essential to human life, it is plentiful and easy to acquire so suppliers compete on price driving it down to a a value much closer to the cost of acquisition rather than the maximal upside to the buyer assuming no other alternatives are present.
Zerodium is not generally paying out $2MM for vulnerabilities and the people who acquire vulnerabilities from Zerodium aren't monetizing them directly off the installed base of phones.
An important thing to know about the market for these things is that the "clearing price" of an exploit chain is usually a cap, not an actual price; you're paid in tranches, until the vulnerability is burned. You're hoping it isn't burned before all your tranches are paid.
That has implications for the hypothetical business model you've proposed.