Because this isn't about guarding against general vulnerabilities. This is about guarding against a class of supply chain attack where an attacker compromises the packaging system in a way that they slip in a malicious release.

It is true if everyone waits a cooldown (I don't like this name, but that's another thing) period, then it doesn't solve anything, but as others have pointed out, just because you don't build off the cooldown doesn't mean you and others aren't watching the releases.

Closing the window makes the burden of hiding the exploit higher, which is I think objectively an improvement of security posture.

i am not sure what the benefits of your proposal are compared to the "cooldown period" way.

the releases will be delayed for the same time period, but you increase the amount of coordination required significantly and reduce user agency.