Then Google would have to put out of the fire of that vulnerability in their dependent software.

Not disclosing a vulnerability doesn’t stop attackers from exploiting it. A report simply indicates someone who noticed bothered to report it.

The problem is the vulnerability. False urgency is nothing more: the maintainers don’t need to “meet the window”. Companies will be left with their pants on fire if they don’t act, too: it’s everybody’s problem. Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.