however, just because the software is vulnerable, it doesn't mean you have the right to exploit those vulnerabilities.
for example...
let's say a lock smith company is very popular, and every house in the tricounty area has them -- they locks are secure, one cannot easily open them without keys. then a bunch of theives discover that there is an easy way to open the locks, say, with a screwdriver, no more than that. just because the locks are easily opened, it doesn't give them the right to go around opening up people's houses and causing havoc inside, or stealing valuables, etc...
sure, the locksmith is obliged to fix these locks, but you CANNOT say that m$ doesn't try to patch their software (even if it is horrible)
[edit]
it should also be noted that *nix and things like firefox are patched completely differently to m$ products, in that exploits are fixed usually within 24 hours of them being found - m$ take 2 days at least, and sometimes up to a week after the vulnerability is widely exploited, not when it's actually found - usually.