Indeed, many security researchers are willing to extend their disclosure deadlines if the vendor gives good reason to and shows that they're taking it seriously.
You would have a point if the exploit were more serious, and looked harder to fix than it does.
As is, this is a phishing type variant that itβs not at all clear gatekeeper was even designed to stop. However, the default behavior described (especially making symlinks to NFS shares without any sort of warning or special graphic when following them in Finder) seems sufficient for forceful language when complaining about it to Apple / giving a disclosure deadline then publishing.
I believe Apple could easily have asked for an extension, if solving it was complex.. Apple chose not to.
(from the information available to us..)