Ideally, yes, we'd make a pre-announcement for any security releases. We made the decision not to pre-announce this hotfix because we had proof that the issue was already being exploited and because the discussion discovering the vulnerability took place in a public channel. The patch was quickly put together, tested, and released. Sitting on the finished hotfix for a day (or until the "Patch Tuesday" we've used in the past), while the vulnerability was actively being exploited was deemed to be irresponsible.
If anyone has questions about the specifics of the issue or the hotfix, please email the security team at security@plone.org. Contacting team members individually will not result in a response.