I was never a subscriber to vendor-sec, but I am a trusted associate of someone who was and I did get information on some embargoed issues. Who knows how many such people there are beyond the 80-100 subscribers?
My position: I really hate secrecy around security issues. When I'm backporting a patch for a public issue, I often look up the CVE on cve.mitre.org and find that there is still no information there, because it was embargoed previously. If I'm dealing with an embargoed issue, I have to avoid commiting any fixes to a public VCS. And if the date is pushed out for the convenience of one distributor or another, the information is quite likely to leak to the blackhats via one route or another (even if they haven't owned the list server). Not to mention government agencies that play on both sides of the security game.