Take security seriously
I can understand Microsoft wanting to wait for a convenient date on which a batch of fixes can be released as a single set of updates. No doubt this reduces the cost of production, management and testing of the patches ... and for minor bugs and shortcomings such an approach will be acceptable to most users.
Security issues are different, and deserve to be treated differently. The patches should be produced and released as quickly as possible, and should be independent of (i.e. not held up by) the scheduling of run-of-the-mill bugfixes. Yes, it costs more to do it that way ... but allowing security fixes to go unfixed for longer than is necessary is unforgivable.
90 days sounds an awfully long time to wait for a security fix ... and we should remember that if Google can discover the bug, so can other people. There was no guarantee that the bug would remain unexploited until Google published details. The correct time to release the patch was "ASAP" not "in 90 days".