That depends on the vendor. Some vendors are slow, some vendors are fast. It is wrong to say that no vendor even fixes bugs unless they are publicly disclosed, it is not what responsible disclosure means.
Apple rolls out security updates infrequently, but it seems that every time they do, I see fixes for issues I'd never heard of before. Now, I don't exactly seek out vulnerability reports, but they certainly seem to be fixing things that didn't get high-profile articles on social news sites.
But people who submit security issues to them say that their turnaround time tends to be very long. Which is bad for their customers if the submitted security issue is being exploited in the wild.
That said, Apple's track record on this topic is not exactly stellar.