I find it hard to believe you can post that just a few hours after the "Microsoft Tries To Censor Bing Vulnerability" story was posted ( http://yro.slashdot.org/story/09/11/09/2319233/Microsoft-Tries-To-Censor-Bing-Vulnerability ).
IMHO, Microsoft's lawyers (collectively) are faster and better than Microsoft's developers (collectively).
Just from that, I believe your arguments are mostly moot.
Also, Microsoft's legal department and development/maintenance team are two separate entities. Legal will do what it needs to do to protect the company (which is what it is trying to do here) and get more money. Microsoft's developers (whether hired by Microsoft full time or via a contract) will try to avoid boring work, which is why they used the GPL code.
However, I still agree that contacting the person/company/organization/corporation before spreading the news is the right thing to do, but it is not absolutely necessary.
I do not doubt that the lawyers at Microsoft will use the full extent of the law (and even go beyond when it can) to protect Microsoft and themselves, so I would not want to ever (non-anonymously) release a vulnerability.
That being said,
Microsoft:
Please fix the vulnerabilities I sent to you last year, as I am very tempted to spread them or use them. I know your people can sleep knowing a few critical vulnerabilities exist with IIS and Windows, but I sometimes cannot.