Additionally, I wonder how much the courts would say that it is the responsibility of the company to patch their systems if the patch was released.
I've always felt that releasing an advisory after a patch is the way to go, however I've been in situations before where the vendor doesn't respond or doesn't recognize the seriousness of an issue, in which case something has to be done. That's the scenario that requires some kind of protection.