Is it actually reasonable to disclose this just for missing the deadline given that it has already been exploitable for twenty years? I know nothing about security but I just feel so bad for people who have to scramble to fix this legacy system which they probably had nothing to do with. I don't think I have ever seen a good secure system understood, redesigned and reimplemented in less than a quarter. The exploit author himself seems to have spent months on this without coming up with a fix either.
Second, these things are a lot more correlated than you think. Look at Spectre recently: those bugs have been in there in various ways for what, 20+ years? Yet something like 3 different research groups all came across variants of it simultaneously. There are pervasive correlations leading to https://en.wikipedia.org/wiki/Multiple_discovery - people use similar tools like fuzzers, they follow similar research topics and gossip, certain things become 'obvious' to everyone simultaneously, and so on. OP might not think that anyone else is working along similar lines, but how could they know that? How should anyone interested in Spectre have known that there were (at least) that many other groups finding similar problems?