What if the advisory isn't detailed enough? Releasing a detailed enough advisory will still lead to the creation of exploit code. So if someone creates said code, then goes and exploits something that results in the death of someone (say similar scenario as above) are not the vulnerability finder and the company still at fault for giving so many details? At what point do you draw the line?
There are other correct ways to go through the disclosure process, I agree with most of them depending on the scenario.

Here's a tricky scenario: A vulnerability in a custom web application, such as websites at Bank One, retailers, forums...

A public PoC code won't help anyone, I think we can all agree on that. But what do you do if the vendor doesn't respond (with and without their attention)? If you release the same advisory to the public that you sent to the vendor, it's only valuable to people who want to attack the site.