That seems to be saying that currently there is no market for website vulnerabilities, but a market for them might develop in the future as memory corruption vulnerabilities disappear due to mitigations.
This Google/Alphabet VRP change I think is pretty much just about website vulnerabilities.
https://github.com/mdowd79/presentations/blob/main/bluehat20...
Unfortunately the talk wasn’t recorded but he did do a follow up interview on a podcast called Security, Cryptography, Whatever