I agree, it sounds like a huge conflict of interest to me.

If they don't 'fix' a flaw but they can update the AV signature in their product, is that in their best interest or the customers ? And if they update the AV definitions and do not release a patch for the O/S, is that ethical ? I don't see this as the best way to go, but I'm not driven by $$$.

~Halv