Product Security Team

Background: After a vulnerability is discovered it must be dealt with. However, the question becomes who is responsible for discovering and fixing vulnerabilities, the vendor or the client? What if it is an industrial control system that is critical to a nuclear facilitys functionality?

Keeping this question in mind, while addressing the following:

Product security teams (PST) are unneeded and costly. Do you agree? Why or why not?
For example: I disagree with the statement because, best practices would highly recommend that organizations should have a PST to find vulnerabilities and communicate their findings with vendors to have them resolved.
Another example: I agree, because it should be the vendors responsibility to properly test and secure their products whenever a vulnerability is discovered. It is not fair to clients and customers to have to pay for something that the vendor should be doing itself.
Support statements with reputable sources (e.g. government and industry websites, books, and other media).