There is a reason I won't name them --- the ones I know about, a fraction of the total market --- it's not interesting, and I'm not going to get into it.
I'm interested, and I'm sure I'm not alone. This isn't easily researched information, and it would be nice to have a list of organisations to put on my boycott list. These companies should be named and shamed. They have no positive influence on the world. If they disclosed instead of exploited the vulnerabilities they have knowledge of, they would improve the security of most of the world's population. Instead, they profit from the insecurity of the population. This is criminal behaviour and should be treated as such.
You'd boycott these companies, that you don't know who they are? It's not much of a boycott to stop doing business with companies you already aren't doing business with.
How do I know if I'm doing business with them if I don't know what services they offer. Years ago I ended up providing services to a company that was involved in morally questionable activities. When I discovered the extent of those activities I stopped providing services. That company was the GEO group.
See, once again, that's interesting. Especially how you can be so sure of that.
I hate to tell you, but companies like the ones you allude to are incredibly interesting. They're also probably very immoral, and should be known by people who have an interest in infosec.
The companies that sell this kind of product aren’t doing it as a side hustle. It’s not like “oh, well yea, Atlassian mostly sell Jira but also they have a team farming viable iPhone data extraction vulns.”
If you were working with one of these companies, you’d know it because it’s their primary/only product/focus.