Re: You don't say
The professor addresses your point in his original post:
"One argument for full disclosure is that companies will not fix vulnerabilities unless they are forced to. However, at the risk of excusing less-than-ideal behavior, looking at the situation from a company’s point-of-view shows that inattention to a fix may be reasonable. There are a plethora of vulnerabilities and bugs that need to be fixed at any given time, and resources are limited, so where should such resources be allocated? Logically, it would be to address the problems having the highest potential for damage, that is to minimize overall risk. "