Right, but why should any business give up broad legal rights like that? There needs to be a compelling argument that they get something worthwhile in return. From a commercial perspective, I just don't see one here. From the W3C's perspective, it's trying to bring some standardisation to the industry, but it's abundantly clear that major content providers will walk away and implement their own proprietary equivalents if they are backed into a corner, so the W3C has very little bargaining power to try to force the matter. (See also: Mozilla's handling of the same issue.)
Again, I have nothing against legitimate security research and responsible disclosure, but there is a reason we're talking about laws here. It's because it typically requires laws, or other regulations with statutory backing, to compel desirable behaviour when commercial pressures alone won't do it. If there's a problem with abusing provisions in the DMCA to inhibit valuable security research, that problem needs to be corrected at the same level, the DMCA, not kinda sorta worked around through some commercial agreement with a non-statutory standards organisation.