No. Many closed source vendors do not bother trying to fix things unless their feet are really roasted. In the case of routers, since the primary attack vector is to clients, and since routers rarely act as clients (most are not in bridge mode) they do not bother. And other closed source vendors do not bother since fixing it only affects the bottom line negatively.
The problem is less than you would expect since it requires that the bad guys actually do the diff. I doubt that there are many who take each update or kernel/programs, diff them and try to figure out whether it was a security update they could use, or some other update that which is of no use to them. Ie, Unless the code or the press point direct fingers at it, they have no particular reason to zero in on the changes.
Their position now seems to be that Theodore should have waited until Oct 16 when they announced it, and immediately rolled out the fixes on that date (as for example Debian did).
Make the fix, but do not release it until the embargo is over.
He wanted him to sit on the fix until the bug was announced and everyone could release the fix at the same time.
Note that Theo asked him for permission to release the fix arguing that it was important for his users not to open to attack. But he asked permssion. That permission was given, but regretted.
No, "all" vendors were notified of the problem in August. So everyone had the opportunity to fix it. The request was to hold off on the implimentation until a certain date so everyone could fix it at the same time without warning the bad guys beforehand.
See above.