In this case, no insiders broke the embargo. It was reverse engineered from the patch by an unrelated third party and a proof of concept immediately came out of it. At that point, it's kinda fair game.
I assume that while Mythos may be really good at finding vulnerabilities, lighter models may still do a pretty good job of explaining/exploiting the vulnerability if given the patch which fixes it.
Maintainers attempt to reduce the likelihood of that somewhat by giving security patches boring-sounding commit messages. When there are thousands of patches for every kernel release to sift through, that adds a small barrier for would-be exploiters.
For proprietary software, sure. But open source projects rarely ever work like this.
Especially for a project like the kernel, there's no reasonable way to decide who out of thousands of interested parties should have access first.
Android is a rare exception, as of a few years ago they started a program where phone manufacturers get very favorable early access to AOSP code 4 months ahead of public release.