First of all I think you need a timeline to help you understand how this vulnerability was handled:
Feb 1st, 2010: VulnDisco is updated with a zero day exploit for Firefox 3.6. No details on how the exploit works are provided. The exploit is only available in binary form when you buy a copy of VulnDisco. Some people buy VulnDisco and have difficulty in making the exploit work. https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/
March 16th, 2010: First 3.6.2 nightly builds that contain a fix are made available: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/
March 18th, 2010: Mozilla announces that the original discoverer of the problem provided them sufficient details to find and fix the vulnerability. They also link to the nightlies linked to above on the March 16th entry. http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/
March 30th, 2010: Scheduled release date.
Assuming that they got the details on the 16th and actually came up with the fix the same day (which is probable), that's a 2 week turnaround. Given that there have been no further nightlies posted for 3.6.2 since the March 16th it seems pretty clear they're in the release stages of getting 3.6.2 out of the door.
I'm not really sure how you expect them to get it out sooner. The largest delay here is them getting the information they needed to fix it. Which accounted for a month and a half worth of time.
Should they work at reducing the lag between having the fix done and putting out releases. Yes and based on my interview there serveral years ago they were committed to doing just that. But there's still an awful lot of work that has to go into actually doing those releases. They don't just magically appear.
