Why don't companies accept these basic but important vulnerabilities?

Why don’t companies accept Clickjacking, CSRF, Stored XSS in their vulnerability list for bug bounty program?

Actually, I think that still do, but I think that these vulnerabilities are very common and cause of money expenses they do not care for those vulns

So what’s the case with SQLi and XSS then?

Well… I believe that these are the most critical vulnerabilities because these attacks are connected with the company and it’s customers.
As a result these are much more important threats