Marketing is entirely the wrong way to get the people who release fixes to scramble. At least at the top few tiers (package developers and distribution maintainers) you know the organizations necessary to contact, and how to contact them. If the orgs are worth their salt, a descriptive email to their security contacts is faster and easier than a marketing campaign.
Marketing is useful to get sysadmins too lazy to subscribe to security announcement mailing lists to apply the already-released patches or take other mitigation.
> Marketing is useful to get sysadmins too lazy to subscribe to security announcement mailing lists to apply the already-released patches
Which, let's be honest, is the vast majority of people who admin servers these days.
With cloud servers, VPSes, etc., anyone can become a "sysadmin," and lots of people do who don't really understand what they are signing up for. These are the people running the unpatched boxes that Ars Technica recently called "the slum houses of the Internet." (http://arstechnica.com/security/2014/03/ancient-linux-server...)
Those people aren't going to patch their system just because a CVE was issued. They don't know what a CVE is. So marketing the problem is critical to reach them and get them off their duffs.
Marketing is useful to get sysadmins too lazy to subscribe to security announcement mailing lists to apply the already-released patches or take other mitigation.