The problem with that is you inherently trust the vendor. Several companies have been known to sit on information that shows their product to have been cracked, and until the information went public, they did nothing about it.
Part of releasing the vulnerability information is to force the hand of the vendor to act. I agree that the vendor should be notified first. However, if nothing is done about it, then the information should be released publicly to force their action.
Then we agree. I think 6 months is sufficient time for vendors to respond. After that only official groups such as CERT should be notified, and anything else considered criminally negligent. But keep in mind this puts you at odds with open source leaders like Linus Torvalds who believe in what they call "full disclosure", meaning let the hackers and everyone know asap.