I finally convinced Thomas to answer my questions (see comments here) about vulnerability discovery and disclosure. He does a great job of proving my points by:
1. Admitting that vulnerability discovery is spinning wheels.
2. Deftly trying to change the subject while confusing correlation and causation.
3. Suggesting we are one step ahead of the Russian Mafia, regardless of the latest 0day proofpoints to the contrary.
4. Acting like a concerned parent making decisions for all the enterprise "problem children" of the world.
5. Contradicting himself in number 3 with an even more glaring admission of bugfinding weakness.
6. Helping me counter the monoculture argument that suggests more patches equals less secure. (Thanks, Tom!)
7. Asserting that all security warnings are a lark. (I don’t believe this one, but he’s on the right track).
8. Suggesting that for 7 years people took dumb pills, got compromised, and never noticed while simultaneously proving that it is possible to find vulnerabilities without the whole disclosure process (e.g. Morris worm).
In the interest of fairness, I am now happy to answer any questions about discovery and disclosure that Thomas or other bugfinders have for me about my position.