Costs are zero. The ransomware platform runs as a server somewhere, and whether they get one ransom payment or 1000 their costs are the same. The gangs that do the hacking operate on commission, they attempt to phish multiple targets (hundreds, more?) at a time. Again, the cost of one payment is sufficient to justify the entire endeavour.
As long as even one victim will pay, then there is no incentive to stop hacking.
Costs are low but not zero. If they were zero then all exploitable ransomware opportunities would already have been exploited. When vulnerabilities are discovered the researchers have the option to publish for reputation, disclose for bounty, or market the vulnerability to criminals or intelligence organizations. If vulnerabilities are sufficiently hard to monetize for criminals then they'll be more likely to get routed somewhere else.
As long as even one victim will pay, then there is no incentive to stop hacking.
This dynamic is covered in the literature on K&R. https://rusi.org/publication/occasional-papers/closing-gap-a...