What exactly is the point of that policy?
The point is, I suppose, to provide a "window" for vendors/authors/etc. to fix bugs before the skr1pt k1dd13s get their hands on the latest 31337 skr1tpz.
But that has never worked as a viable strategy, and if the window is too big, only encourages slackage, and extends the period of actual vulnerabilty for Joe SysAdmin.