I don't think immediate fixes are reasonable, but expecting a <3mo rollout for critical vulnerabilities (such as this one) isn't unreasonable at all. If they plan to fix this in October, that's 6 months; regardless of a 0-day being out or not, that's pretty abysmal. Of course, Oracle is not the only company that does this, but that doesn't make it okay.