I think that some delay in reports is good. If a severe flaw is found, it's absolutely possible that x, say 10, criminals know about it. Therefore we have 10 people that can exploit the flaw.

If the researcher discloses that right away, then millions of people can potentially take advantage of the flaw. Even the average programmer at a company might have fun with some DoS or crash attack at their company if they can do it anonymously. Remember, lots of disclosures include example code or descriptions.

However if we allow, say a 3 month delay, then the vendor has 3 months to a) develop a patch, b) test a patch (I prefer they do this), and c) distribute it to allow customers to patch. There can be a delay after c) for many companies who also want to test.

I wouldn't advocate "delays until patched" as we have now, or delays for a long period of time since we have new people potentially learning of the flaw every day. I do think some reasonable delay makes sense.