[saurik]

This assumes something that I don't believe is defendable: that bad people wanting to install keyloggers on these systems did not already have knowledge of this vulnerability (or, even simpler, that one would seriously believe that they would be unable to find this vulnerability without splicer having told them about it, as somehow he had unique knowledge of the system). Just because I don't have a way to protect myself from harm does not imply that I am somehow better off not knowing that people can harm me.

[smsm42]

It does not matter - 99.99% of the users have no means or expertise to detect or disable a keylogger if somebody installed it. Unless there is a tool that would allow them do do it, disclosing the vulnerability is useless for them. On the other hand, if such tool exists, it can probably be published without full disclosure. You are not better of not knowing, you are the same (unless you are in highly qualified 0.01%), however various criminals - who do not have time/expertise to find vulnerability themselves, but can exploit known ones - immediately gain edge over you once it is published. For example, I myself, without knowing existing vulnerabilities, probably could not in reasonable time find one, but given a good disclosure of one, I probably could, using existing tools and with some luck, produce a working exploit for many of existing types of holes.

So the problem is that irresponsible disclosure does not help victims at all, and does help criminals. The only positive thing in irresponsible disclosure is that if vendor is unreasonably slow with issuing patches, and exploits are already known to be in the wild, then the harm is minimal, and disclosure can raise the priority of the fix. But absent this knowledge, responsible disclosure is almost always better for the users.