People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.
At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?
Apparently so. That's what they're offering and paying. The entity that most benefits from FB security is FB, and they seem to be OK doing this.
To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?
Facebook is a closed system, an exploit there is worth precisely nada. Any use of it for monetary gain will be shut down fast and probably audit-logged to find you. Find an exploit kernel-level that allows you to execute any command you want at any administrative level on Windows/Linux/etc which allows people to drastically increase their botnet size? That'll get you some cheese.
How do you recoup 50k on FB? Not a theoretical "I'll hack Tom Cruises' pictures and blackmail him" but an actual demonstrated business model.
