Appropriate test conditions.
Would you test a new bullet proof vest by letting people shoot the test dummy in the head? No?
Why's that?
You only test the vulnerability of the technical parts of the system you've control over. DUH!
Supposing you've been sitting in the office writing your own little stored procedure, app, function or whatever, and I'm supposed to write a unit test plan for it... is it robust code? You're pretty confident it is, but then I appear with a bucket of water and dump it over your pc. Oops. Your code didn't allow for that! Back to the drawing board. You waterproof your pc, it passes test one. Test two arrives; the proverbial man in a duck costume wielding a big mallet.
If they were testing the vulnerability of the users to manipulation, it would be a different test. Bog standard hackers don't generally kidnap an SA and pull out his fingernails until he gives up root access, and that there's no 100% guarentee of anything is a given,
However it is a far better approach than employing hackers-gone-straight full time; tapping into a larger pool of resources and not paying anything for failed attempts.
While it doesn't prove anything it does suggests that the sum of money being offered isn't sufficient compensation for the effort required. In the same way as if a safe manufacturer offered a unclaimed 100k prize for cracking their safe, I'd feel confident leaving a lesser sum in it. Conversely, even if it was cracked, and they were forced back to the drawing board, I'd appreciate both their honesty and their pro-active goals of improvement.
It's patently nonsense to say that nothing can be learned, or that there's no value to it. At the very least you've increased their brand awareness.