Proponents of full disclosure argue that making information about vulnerabilities available to everyone as soon as possible is best for everyone. Without full disclosure, the only parties with knowledge of a vulnerability are the vendor, the researcher and any less scrupulous characters who have also discovered the flaw. This gives the vendor very little incentive to take any action, as customers simply cannot complain about a flaw they know nothing about.
In fact, in the proprietary software world, critical "responsibly" disclosed flaws often stay unfixed for anywhere between six months to two years on average, even though only a few days of engineering work and testing seem to be justified (This argument does not apply to open source vendors or projects, where the average embargo time for even the slowest of the slow enterprise vendors is perhaps one to two weeks).
One of the most often encountered arguments against full-disclosure states that users must be protected from complexity at all costs. Keeping vulnerabilities secret until there is an officially supported solution that is compatible with even the most technophobic user is the best way to keep everyone safe.
We would argue that making the information available to everyone will allow those users affected to rapidly develop mitigations, and determine the risk to their systems and networks. Bug secrecy proponents (predominantly vendors) maintain that their users do not understand how to use this information, and will lie there helplessly at the mercy of attackers until they're rescued by the vendor. I like to summarise this argument as "Grandma can't write ACLs!", the argument that even if network administrators and security professionals know how to use this information[1], Grandma would be terrified by the exposure to complexity and be stuck until rescue arrives.
My response to this argument is that all of us could be the "Grandma" in analogous situations. I have no idea how to service my domestic appliances, or the plumbing in my home. If my car breaks down, I'm in trouble - I am only familiar with the concept of internal combustion at a very high level, and would have no idea how to replace a carburettor. If a news report explains that a design flaw has been discovered in my car, there is very little chance I will genuinely understand the problem.
Just like any reasonable person, I would never choose to live in ignorance of the problems in my car, of course I want to know that there's a problem. Even without knowledge of how my engine works, I am still able to choose between risking driving or staying at home. If I really need to travel, I can hire a mechanic - a professional who will understand the problem, and is able to help make me safe.
If there really are users out there who would find this challenging, then I have trouble understanding how they function in the modern world. We are constantly surrounded by technology, yet few of us understand how more than a small fraction of it works to a degree where we would be able to maintain it ourselves. If something goes wrong with your plumbing, do you stand there helplessly while the water level rises around you, or do you call a plumber? If a news report explains that a flaw has been discovered in your microwave, do you continue using it like a hapless idiot exposing yourself to radiation, or do you switch to a convection oven until there's a solution? Perhaps you really depend on your microwave, would you not call a technician or order a replacement?
If you really care about security, it's an unfortunate truism that you will be vulnerable to flaws in the software you use. If you don't want to get stranded, you have no option but to hire a mechanic. If you don't want to get pwned, you have no option but to hire someone who knows computer security. Even if you do hire someone who knows computer security, they need accurate and complete information to do their jobs. Keeping secrets prevents them from making the best decisions for you.
Unfortunately, full disclosure is an unpopular opinion. Vendors adore bug secrecy, and have million dollar marketing budgets which they like to spend astroturfing their opinions. Even their favoured terminology, "responsible disclosure", is itself a loaded marketing term coined by Microsoft and the (now defunct) OIS. Of course, full disclosure proponents believe their policy is the most responsible (nobody would argue we should be less responsible, that would be ridiculous), but we refuse to insult your intelligence by referring to it as "super-happy-fun disclosure". Many vendors also like to punish those of us who don't share their opinions, they refuse to acknowledge us if we don't follow their rules and wait for their permission to tell you about a flaw, and the worst offenders will even try to sue us, or try to bully us into compliance.
Bug secrecy makes sense for vendors, you can never complain about flaws because you don't know about them, and the press can't point out their failures, because the details are a tightly controlled secret.
The disclosure debate hasn't ended, both bug secrecy and full disclosure proponents can make good arguments. Unfortunately, not everyone realises this and believes anything that isn't "responsible disclosure" must be "irresponsible disclosure". Please research the debate before forming an opinion.
1. Write a firewall rule, push an ACL or GPO, monitor logs for intrusion attempts, apply pressure to the vendor to prioritise a patch, or perhaps even disable a service temporarily if the risk outweighs the benefit, etc.