Juan - it's even worse than that. Their (and no doubt my own CSE's version of) Tailored Access Operations demand a steady supply of zero-day faults, meaning the NSA searches for undiscovered security flaws in software and instead of informing the authors of the problem and then releasing details once a patch is available (i.e. following the standard good-faith approach to these issues), it stores away the details for possible use in its own attacks. That's probably billions of dollars of smart-person salary spent to *not* fix security flaws.
Juan - it's even worse than that. Their (and no doubt my own CSE's version of) Tailored Access Operations demand a steady supply of zero-day faults, meaning the NSA searches for undiscovered security flaws in software and instead of informing the authors of the problem and then releasing details once a patch is available (i.e. following the standard good-faith approach to these issues), it stores away the details for possible use in its own attacks. That's probably billions of dollars of smart-person salary spent to *not* fix security flaws.