Also one order of magnitude less than you could get on the black market for a universal Linux LPE and two orders less if you can make it work reliably.
I believe you are two orders of magnitude wrong, in the upward direction, on that number (the first of them). You're talking about reliable remote numbers there, full chain, full enablement, tranched with maintenance.
It requires being able to execute arbitrary code on the machine in userspace. If you have that, most of the time you don't even care about kernel level exploits.