From what I understand, stake pool servers are normally set up so that ADA can’t be stolen from them, not even the pledged ADA. So there isn’t much incentive to hack into a stake pool server, other than harming the pool’s reputation or the Cardano network as a whole. Exchanges are higher profile targets, because they need to keep some of their funds accessible online in hot wallets.
Operators should consider a bug bounty anyway, either directly through social media, or something like HackerOne.