The actual proposal is dozens of pages of legalese that would take a team of lawyers a week to decipher. I have no idea what it says because it is totally incomprehensible.

That's half the problem. If you're AT&T or Google you can hire said team of lawyers to tell you what it says, but what is an individual graduate student or security consultant supposed to do?

The other half of the problem is that what it says doesn't change the outcome, because the insolubility of the issue comes from economics rather than policy. There is no policy that will keep vulnerability information out of the hands of the bad guys only, because there is no practical way for most people to even identify who the bad guys are.