I don’t understand the drama about Google discovering an internal G+ bug and not announcing it. Everyone does that. Nobody announces. You don’t know 1/1000th of the horrible vulnerabilities pentesters find in these kinds of places.
It's completely unrealistic to disclose whenever vulnerabilities which could have led to a data breach are fixed. That's obvious to people working in security but may not be to people unfamiliar with it. Even if feasible, it could discourage finding vulnerabilities internally...