Oh, please don't get me wrong: I'm not taking VW's side on this one, just arguing that the 'enough time for the vendor to do something' is really a concept born of, and applicable to, the world of software running on general purpose computers.
It's still impolite to hide defects from vendors of such baked-into-hardware systems as this; but where "responsible disclosure" in even its most supine, vendor-friendly, form means maybe 6-8months on the PC side, it would mean probably 10 years on the hardware-embedded side.
My contention would be that, under those circumstances, it isn't a very useful standard. Also, in the specific context of cars, the owners of the cars really ought to know as soon as possible, lest Team Insurance try the old 'Nope, that system is unhackable, if your car was stolen you must have been negligent!' line. (see also 'Chip and Pin' bank liability controversy)