The vulnerability has been there for four years. It's critical, but not widely exploited. As soon as you release an update, the exploits will be found and weaponized. It's 24 hours later and we're already clocking scripted attacks.

Coordinating a flawless release by a) not doing it during a major distraction event (DrupalCon) and b) allowing an embargo period for people within the security community to prepare is MUCH more important than rushing out the fix a few weeks earlier.

The response here is indicative of the professionalism of the Drupal security group IMHO.