Are you sure he was notified in those previous incidents? Sure, that's really poor behavior of the company, but you don't know if he was even aware. Sam should have responsibly disclosed the information assuming that it was not already known - his actions were indeed unprofessional and could've been approached differently - if there was still no action taken, then that's a whole other story.
Maybe he was, maybe he wasn't, only he knows. But when you're running 100000 websites, you should Google yourself once in a while at least. Besides, this isn't some 0-day, it's some extremely basic SQL injection vulnerability. This company wasn't capable of doing extremely basic security, and should be out of business. This is the kind of company that stores your passwords in plaintext. He doesn't seem to have done anything since he was notified either (see Phil's comment)
Oh, I'm definitely not disagreeing that the company was irresponsible in their coding practices and having found the previously released notices on their own - they are certainly at fault for that negligence - and if they have indeed been notified before, then they are even worse of a company; but I still think the Sam didn't approach the disclosure properly, but that's just an opinion.
