To a certain extent if the lead developer issues a release and says it's critical we have no choice but to trust him. But, outside developers can and should perform their own independent audits of new releases to see if something suspicious is done and raise the alarm if need be.
Most Nxt users are not "developers", so while I take your point, I also suggest that most people are being asked to update software without being able to understand OR verify the reason for the update. It's the software-developer equivalent of "trust me. Just do it."
There is no such thing as zero trust. You are using operating system, and you trust it's not logging everything you type and sending it somewhere. You trust the software developers of your web browser. Even if you are using open source software, how would you know if the official binary is based on the released source code? (unless you build your own binaries after going through the source line by line).
Zero trust doesn't exist.
In this case, everyone who is a Nxt user is trusting the developers. There is simply no choice.
There maybe reasons not to publish the exploits until most users have upgraded.