It is generally in the company's best interest to publicly disclose the vulnerability, and its effects.
The other parts to your question are:
1. Should the company be compelled to disclose the vulnerability?
I don't think that is reasonable. Enforcing this would be a nightmare anyway.
2. If they did not disclose the vulnerability, but it becomes public knowledge another way, should there be any recourse?
I think that should be decided and enforced by the users. Unfortunately, that is becoming steadily more difficult, as companies like Google grow, and there are fewer viable/available alternatives to their products.
3. Does a company have a moral imperative to share this information?
I think that the action to share such information takes a higher moral ground than to do otherwise.
The other parts to your question are:
1. Should the company be compelled to disclose the vulnerability?
I don't think that is reasonable. Enforcing this would be a nightmare anyway.
2. If they did not disclose the vulnerability, but it becomes public knowledge another way, should there be any recourse?
I think that should be decided and enforced by the users. Unfortunately, that is becoming steadily more difficult, as companies like Google grow, and there are fewer viable/available alternatives to their products.
3. Does a company have a moral imperative to share this information?
I think that the action to share such information takes a higher moral ground than to do otherwise.