They should also be fully transparent and not silently patch, and only issue a CVE weeks later after being called out like they did with RedSun, from this same researcher.

That Microsoft releases vulnerable software isn't the issue (that's a known quality at this point), it's their lack of transparency and refusal to hold themselves accountable.