That's the tradeoff. If you disclose it broadly without a grace period, someone who didn't even know about the vulnerability before will exploit it faster than even the best postured companies can fix it.
That seems to depend a lot on the vulnerability, and the company, and the users.
I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".
I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".