Perhaps they need to weigh up...
...the risk of not fully disclosing the issue against the risk of potential zero-day attacks based upon such disclosure and used upon such machines as are not (at that time) updated. At my local library all updates are downloaded and auto-installed when the machine is switched off. Such switch off may happen that night, or the next, or the next. Pretty much the only time the machines are (usually) known to be off is on a Sunday. That's a long time from patch Tuesday.
Likewise my work, half the Q&A machines aren't turned off (hell, half the time the girls have gone home still logged in AND running VNC servers (WTF for?!) - if I was their IT guy, they'd ALL be in for a slapping) so when are the updates applied? You can't "update/restart" as it happens, no doubt somebody will have spent the last six hours making a PowerPoint...
I usually ignore updates on patch Tuesday, waiting instead until Wednesday evening or Thursday to install (time to see if anything is reported as going "bang!").
So the decision comes down to assessing the likely problems of delays between security patches being made available, and said patches being actually applied.
Now imagine, in all these scenarios, if you disclose details of a hole closed, especially one that was not known to be exploited - you've suddenly and potentially opened the hole to the potential millions of users who have not yet applied said patch. Maybe keeping quiet once in a while isn't such a bad thing?