Quote: they actually put users at risk by publishing code that exploits the issue
1. The quality of software development employed by your average crime syndicate located in the Wild East is on an order of magnitude higher than the quality of the average big corporation software development located in the not so Wild, but Warm and Humid South-East.
2. So the value of protection from not releasing the code is NIL. The description (or often the patch itself) is sufficient for an average Russian, Romanian, Bulgarian (or anywhere around there) software developer contracted to a crime syndicate to produce a working exploit in a few days (tops). In fact, I know people who are capable of doing so in an afternoon between two espressos (with no description, purely on the basis of patch analysis).
3. The value of the exploit as a working test case is priceless. Anything else aside, the "developers" (quotes intended) in big software corps located in the "sweaty" part of the word look at testing and testcase writing as a job for lower caste subhumans (I have had "developers" threatening to quit when being told that they have to test and write tests for their code more than once). So they are _NOT_ going to write a test exploit (even if they were qualified to do it). The availability of a test exploit allows the current test staff in your average large corp to test the fix. Otherwise they would have been unable to do it.
So the disclosure style and substance are spot on. It is the timing which is idiotic. Even google itself does a partial lock-down over Xmas. This time should have been accounted for in the "90" days.