They're rich, don't hold civil liberties in high esteem, and don't have a lot of in-house expertise. So, yeah - along with some neighboring states, they're a buyer for tools they use to target journalists, dissidents, etc.
China and Russia are on the same boat, but they are far more capable with in-house tech.
OK i see, re-reading this with your top level post is "not all vulnerabilities are the type that could be bought by (insert state actor)", which makes sense (for some reason I thought you meant that they were buying the type of bugs that would end up getting reported to a BBP, but I just misread the original comment).
And yes the Saudis definitely bought software from NSO Group but it's also been used by plenty of other governments, including half the EU...
(Israel is known to be prolific; many brokers and the whole industry on all sides has a lot of people and entities from Israel. Saudi is publically obv active due to stories like MSB pwning Bezos over Whatsapp)
China and Russia are on the same boat, but they are far more capable with in-house tech.