We wish it was a myth (Score 1)

At the risk of repeating the sentiments of everyone else: Vendors are MANAGED BY indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act. As opposed to developers, who would never put them in in the first place if it weren't for time-to-market pressures. Oracle is in no position to talk since half their patches don't even work on half the software baselines they're supposed to apply to.