> I do think they should try and close them in a timely fashion when the exploit is pointed out though - the longer they wait the more chance bad actors find it in addition to the security researchers.

You are assuming it is not already being actively exploited and there will be a timely response to fix it, which is why we have these ticking clocks.