Microsoft's longstanding practice isn't enough to handle its vulnerability problem.