Logically, one would disclose as soon as the value of disclosing is larger than the value of non-disclosing. I hope we can agree that after 5 years, the benefit users have due to non-disclosing is near-zero, because virtually nobody will still use the vulnerable version. At the same time, if after 5 years the security gap is still unknown to the public, the value for other security researchers will be very large. So, for mobile phone software vulnerabilities, it is definitely better to disclose after 5 years than not to disclose.
Given that before the patch the value of non-disclosing is certainly higher, and after five years the value of disclosing is certainly higher, there must be some point in time from where on disclosing is the right choice. Therefore, the only question is when to disclose, not if to disclose.
Given that before the patch the value of non-disclosing is certainly higher, and after five years the value of disclosing is certainly higher, there must be some point in time from where on disclosing is the right choice. Therefore, the only question is when to disclose, not if to disclose.