Well, not surprising really, with all the quality assurance required (it’s really not a light thing for them — imagine testing and patching every language, every affected version, etc.).
Once we were made aware of the issue (December 28, 2005) we immediately began developing a security update for the WMF vulnerability on an expedited track. Normally the entire process of creating a security update from start to finish, creation, to testing, to release, takes four to six weeks. By taking as many as 200 of our people and having them focus 100% on this issue only we have cut that time down to two weeks and expect to update to be ready on January 10th for release as part of our normal release schedule (again, this is dependant on it clearing all of our quality testing but the potential is high that it will be done on time).