And only a month after the first public posting of the vulnerability, in their own forums.
Some guy accurately describes the vulnerability, complete with screenshots showing a Superfish-signed online banking page, and posts it to the public Lenovo Security-Malware support forum, and they take no public action for 29 days; yet around the same time, they stopped installing the software on new machines. Only when it's a scandal do they first make statements that are designed "to defuse the situation", which, in this case means trying to convince their owners that their dangerously compromised and possibly already-exploited machines are safe, and then (perhaps when someone points out that such statements are only going to increase the price tag from the inevitable class-action suit) do they start behaving properly.
So, no, that's not a speedy response. As a company selling a product, they are ultimately responsible for everything that product contains. They have a duty of care to make sure that the goods they are supplied do not place their customers at risk. If one of their trusted partners wants to load a Root CA onto their machine, it better have a good security case for it. "Used by major commerce sites", for example, is a good reason; "allows us to break SSL" is a bad one. Ignorance is not an excuse. If Lenovo is not loading up their machines with all the crap they put on it and auditing their installed certificates, they are not doing their duty to the customer.
If Lenovo tells people their machines are secure, when it has known for a month at least that they weren't, it is making things worse for itself. Saying they don't read their own public support forums, or that the information didn't get to the right person doesn't amount to an excuse so much as an admission of guilt. Claiming that PR flaks are there to give these kinds of messages slanders the job of spokespeople: specific people are assigned precise messages to communicate to the people exactly to avoid statements that would open them up to litigation.
Right now, we don't know of any security compromises that occurred via Superfish. We may never hear of them, but that doesn't mean that they never occurred.
Right now, Lenovo seems to have their best PR approach underway: release the uninstallation tool, contact every anti-virus provider on the planet, contact everyone who registered a product with them, and then shut up and start saving pennies for the settlement.