The guy could certainly have just ignored the phone call, just because the company contacts you does not mean you need to help them (even if they are being nice).
While I think that a bug bounty is the RIGHT thing to do in this scenario, the security guy likely couldn't just decide on his own to give out thousands of dollars, so something is better than nothing, and if the expectation was nothing, then well, sounds decent to me.
I think that is literally true; that is, I think that a security person at a large company would be in serious trouble if they paid someone for reporting a security vulnerability out of their own pockets. There are legal implications to opening up a bug bounty.
While I think that a bug bounty is the RIGHT thing to do in this scenario, the security guy likely couldn't just decide on his own to give out thousands of dollars, so something is better than nothing, and if the expectation was nothing, then well, sounds decent to me.