But what’s the point ? Most vulnerable Linux servers are hosting blogs or dns servers. They’re only useful to run a crypto miner or host a phishing page, and for that you probably don’t need to go further than exploit a wordpress bug. No need to go for the kernel or even root.

Whereas a desktop often has users on it who enter banking details or corporate login credentials. Much juicier targets.

Can be a good DDoS source, lots of bandwidth often. Bonus if they can spoof packets, which needs root.

The payouts are based on what their 'clients' are willing to pay in turn for the exploits. There's just less of a market for Linux kernel exploits. If nation-state actors are involved in deep APT style attacks where they would leverage low level kernel exploits they are going to either develop the exploits themselves or acquire them through their own clandestine channels. Purchasing that stuff from a publicly facing company that could potentially be compromised themselves is high risk and leaves too obvious of a trail.