First, Evernote's customer service response was indeed excellent! Not only owning up to the breach, but also forcing a password reset is good. Forcing a password reset with an upgraded password storage mechanism and better rules and checks for bad passwords is even better!

As far as companies not wanting to admit to a breach, even in unregulated industries without legal penalties, there are only four major choices:

1) Own up to it quickly. Customers will be upset, yes, but you will set the tone of the annoucement, and be able to start out by saying "We've fixed the issue already, but recently...". Like Evernote, if you can get users to change their passwords before the list is leaked to the public, you'll have less upset customers - unhappy, but not as unhappy.

2) See someone else post your password (hash) list publicly, very likely followed by security analysts, blogs, and news media (in large breaches, like the 50 million password Evernote one here, or Sony's recently) putting out stories before you can respond. In this case, you're very likely scrambling to respond, and may have increased civil (or criminal, depending) liability.

3) Hope you were hit by an honest extortion racket who will actually destroy the list if you pay them.

4) Something else.

Password lists do get posted publicly, used in competitions, analyzed for patterns, and so on, and they typically will be linked to who they were stolen from by customers recognizing their own password, by the password content, and so on. Once someone else has your password hashes, they can control the publicity if you don't get there first.