I have heard of many incidents like this from various companies, but not Apple that I know of.
But yes, responsible disclosure includes a deadline (60 days?). Flexibility granted if the company truly needs it, and the nature of the vulnerability requires discretion until fixed. A major widespread flaw with no workaround short of air-gapping the machine would be wise to keep secret until fixed.
90 days, and Apple in fact are a noteworthy example. They have repeatedly missed the deadline and had full disclosure by GPZ, with widespread flaws, complete with exploit code.
Microsoft are the other big one.
The "right" thing is far more complicated than people who have no experience working with vendors to fix bugs like to assert.
There is some game theory here. The rationale is that if vendors know that GPZ will sit on their vuln until it is fixed, they are not forced to take the deadline seriously. For that reason, GPZ must remain firm on their deadlines, and everyone knows that if you try to call their bluff, you are going to lose that bet and have an even bigger mess.
But yes, responsible disclosure includes a deadline (60 days?). Flexibility granted if the company truly needs it, and the nature of the vulnerability requires discretion until fixed. A major widespread flaw with no workaround short of air-gapping the machine would be wise to keep secret until fixed.