This is a bigger deal than you might think
So, from a cloud service provider perspective, this is a bigger deal than you might think. I can tell you that there can be strong internal pressure to not disclose security issues to customers. That includes explicit vulnerabilities, but also operational issues that prevent security controls from working at full utility (for example, configuration problems, etc.) In fact, the pressure is strong enough that I used to use it as an interview question when hiring resources. For example, at the first interview I would ask something like:
"Hypothetical scenario: you discover a configuration issue in a customer's managed IDS instance that prevents it from scanning all relevant traffic. The customer is heavily regulated, has had a number of support issues recently and has gone on record that one more issue will cause them to take their business elsewhere. The account management team advises you to not inform the customer until the issue is resolved, which the technical manager says will take 3 months. What's the best course of action?"
If their answer was anything other than some form of "suck it up and immediately inform the customer", I would (politely) end the interview and cross them off the list. That said, I'm sure that not everyone at every CSP shares that same view.