"Why did it take five months for Microsoft to mitigate a vulnerability..."
When a bug is discovered, if it is fixed quickly then everyone is happy ... including anyone who's accessing the user data via the bug because when you fix something quickly then it's very hard to verify that you haven't just moved the bug somewhere else. I expect that when Microsoft saw the bug, the programmers started looking at all the other areas in the code that it might have affected, planning to try and implement a complete fix, not just the first of a few months bug fixes.
Sure, five months is an issue but it's much better than quickly creating a bunch of new vulnerabilities.