I don't think it's their fault for not making code without exploits. I do think they should try and close them in a timely fashion when the exploit is pointed out though - the longer they wait the more chance bad actors find it in addition to the security researchers. Ultimately they need to cooperate here for users to be safe.