Re:
There’s no checkbox “all of the above, to varying extents, depending on the particular security issue,” so I can’t vote.

The vendor takes blame depending on how embarrassing an oversight the bug was, how they react to being notified of the problem, and how long they take to release a fix.

The hacker, no need to say much.

The user takes blame depending on how savvy they are, and how closely they keep up with patches. Sysadmins at large companies obviously have great responsibility here.

The security researchers take blame when they release information without giving the vendor a chance to create a fix; or, if they wait too long while the vendor sits around, or worse, fields spin doctors to do damage control.

The bottom line is that all code has bugs; we need to accept this as a reality. This means that vendors should be alert and listening to security researchers, who should immediately notify vendors of any findings; once notified, vendors need to work immediately on a fix to push out to users, who should be keeping an eye out for those. Everyone is responsible for doing their part of the job. The blame game is convenient, but useless.

It's not totally useless
I don't think the blame game is totally useless. If it causes emabarassment to the perpetrators and lights a fire under their ass, then it might have some value.

However, uneducated and lazy blame isn't of much use, I will agree to that.

Never underestimate the power of righteous indignation! ;)

The purchasers and users are to blame, and that's it
The people who buy and use the crappy software and products are to blame, and no one else. If stuff is shitty and we buy it, then we are sending a message to the manufactures that crappy product is OK.

You can't blame the butcher for selling what people are buying. Until we are ready to suffer and do without instead of buying garbage, then we'll get just what we deserve.