You are right in that it is Microsoft's first responsibility should be to correct the flaws in its products and commercial behaviour that allow these problems to propagate. It is however in their interest to also try and find and prosecute these individuals. A few high profile convictions may send a "message" to virus writers that what they do isn't so smart.
Yes, but from any level of incident response, the DIY approach is not a good approach. Personally, I see this as Microsoft taking the law into their own hands. I can fully understand the Microsoft is rather pissed at the moment. The appropriate authorities such as the FBI in America, or closer to home, the NZ Police Electronic Crimes Lab are there to hunt down, catch, arrest, and convict cyber-criminals. Tell me, what is the difference between me beating up a thief with a baseball bat and Microsoft doing what they intend to do.
The only problem we have is that the "good guys" could get painted with the same brush as the "bad guys". The "good guys" being those grey and white hats who find bugs and write proof of concept exploits and post them to forums such as bugtraq. These guys help make the software safer. However as a side effect they also help the morons who write 800k VB viruses cause havoc. Which is unfortunate. But it is ultimately the moronic VB virus coders who are the problem not the people who find the software flaws in the first place.
It's the case of slowly educating the public, people are slow learners. If they only realised that stealing cars these days also requires a similar level of skill.