Excellent new article up on TechNet by Jeff Jones explaining the Microsoft security response process:
Once a potential issue is reported to Microsoft, either privately or publicly, our team immediately begins an investigation to reproduce and verify the reported issue and to identify any associated or variant issues. Historically, only about 1 out of 10 reported issues turns out to be a new and unique security issue that warrants opening an investigation, while the other 9 fall into categories of known issues, non-security issues, or errors.