There’s a give-and-take here, where disclosing the vulnerability should be done soon enough to be responsible to affected users, but not so late that it’s seen as pandering to the vendor.
We’ve already seen how much vendors drag their feet when they are given time to fix a vuln before the disclosure, and almost all the major vendors have tried to pull this move where they keep delaying fix unless it becomes public.
Synology hasn’t been very reactive to fixing CVEs unless they’re very public. One nasty vulnerability in the old DSM 6 was found at a hackathon by a researcher (I’ll edit and post the number later), but the fix wasn’t included in the main update stream, you had to go get the patch manually and apply it.
Vendors must have their feet held to the fire on vulns, or they don’t bother doing anything.
Current modern supercomputers are actually a mesh of relatively lower spec machines, not a single “computer”, per se. The cost of these isn’t the hardware, it’s the low-latency interconnects and writing the software that can carry out jobs in a massively parallel way.