Unfair but also of great benefit to the corporations creating products with security holes. It reminds me of 'identity theft' where the average citizen bears the risk due to the poor verification practices of loaning institutions instead of the institutions who create the risk as a byproduct of profiting off making the loans. If anyone thinks this is accidental, you should contact me as I have a great deal on this new bridge that is about to hit the market.
Security researchers should only be liable for potential risks if we manage to hold those companies for potential risks.
If we fail to do the latter it's quite unfair to let individuals bear the brunt of legal enforcement.