I see two aspects to this.

1. It could be very difficult for a company to report problems, vulnerabilities involved and mitigation measures taken without revealing important details about their internal architecture. Yes, security by obscurity is not security, but if internal architecture is known, anybody attacking doesn't have to go through the step of determining what type of architecture and thus what type of vulnerabilities they can try to exploit.

2. I can see value in reporting so that the IT community can pool it's knowledge similar to how the hacker community pools its knowledge. Since this is the defensive side, there is reason for keeping details disconnected from the company that has been attacked. I could see some sort of partnership between "security firms" where publicly known vulnerabilities and attack patterns are fully documented for public consumption. Then in terms of reporting, companies could report another occurrence of a known attack pattern against a known vulnerability to partner security firm who would update anonymous statistics. If a new attack pattern or vulnerability has been observed, then they could report that to one of the partner security firms who would add it to the database assuming it didn't involve a non-public vulnerability that needed to be reported to a vendor first.