Well, first I wanted to note that I said I »usually« practice responsible disclosure.
Beside that, they have been informed before. So imho all requirements for responsible disclosure are met. It's not my fault if they're too stupid to understand the issue.
I think you can't expect the costumer support to know what a Cross Site Scripting Attack is. I think you should explain it to them and tell them to forward the message to someone who is responsible for the security.
I'm a really a fan of responsible disclosure, but there are some borders. If someone proves to be too stupid to unterstand what the problem you can just publish it. I recommend Hanno to just blog after the first response. It is just not worth, spending more work on it. Just remember the story of Chris Shiflet and Amazon. He waited one year and nothing has been done on a really, really big hole.
You can insist, that one day is too less. I would be completely with you. Normally you should grant a much bigger period. But only if you can expect, someone will work on it. In the Napster case, you just can't.