It's not like the stakes in a complete security audit are an unknown or something. It's an apples to oranges comparison if their scenario is anything but "someone with commit access to our operating system was social-engineered into compromised credentials and may have inserted malignant code", and in the first place neither Apple nor MS have a sterling record they can boast in contrast (and don't think they don't know it)
If they (any of them) somehow managed to...say, lose tens of millions of users' personal information (i.e. "Pull a Sony") I'd be all for laying into them, but that's not the scenario.
Taking time and being careful while still developing the kernel? That earns my respect. From where I sit, their response was actually pretty on the ball, and it'll be relatively simple to turn git into the star of this show when it's all done.