I think your "usually" is heavily biased by media stories, which of course report only the exceptional, otherwise it wouldn't be news.

I've reported vulns in school before and got an unexpected bug bounty. I also abused vulns to put games on a school server when I was younger and that time I got a firm talking to. I also know someone and their friend who were around 18 at the time and stole a teacher's password (don't remember how, but nothing clever) and changed some grades of theirs. They were indeed suspended.