This was interesting reading. I looked through the repository of examples too.
Some theories about why this can happen:
1. Individual programmer / low level manager doesn't want to accept any blame so goes on the attack to hush it up.
2. Company has psychopathic senior manager so programmers are terrified of bug reports and do everything they can to hush up reports, such as mislead the company lawyer that illegal hacking has taken place.
3. Company has out of touch (non-technically literate) senior management and in-house lawyer who don't understand that the people finding exploits are providing a valuable service to the company.
4. The company lawyer sees an opportunity to escalate the situation to make additional work for themself = fees.
5. One or more government agencies have compelled or persuaded the company to add these vulnerabilities to their products. When the flaw is discovered, the company doesn't want to fix the issue or have it disclosed.
If anyone read the example of the phone monitoring rootkit, it looks like the product was malware, and it was the only product of that company. So exposing any of the issues about the project was game over for the company. Therefore legal action was the only chance at survival. I class this as a rare special case.