Sounds pretty circumstantial. Adobe for example has had many security vulnerabilities in flash over the years. I doubt that they were intentional back doors.
This is getting into conspiracy territory, but we are talking about a government that intercepts networking equipment while it's being shipped, disassembles it, installs hardware back-doors, and then delivers it. Strong arming any US software company that has a near universal install base isn't really a stretch of imagination.
I believe most AV vendors, if/when persuaded by powerful agencies, won't need to introduce an specially crafted backdoor.
An average antivirus software has everything necessary already. Personal licenses as a way to identify the specific machine or person, automatic streaming software updates as a way to deliver the payload and almost unrestricted privileges on the target system enough to infiltrate and stay concealed.
I agree with you on the Adobe software issues, particularly PDF reader. But you raise a question: how can we tell if a security vulnerability is an intentional back door or a goof? It's pretty easy to say "intentional" in some cases, and "goof" in others, but what about the vast majority that will inevitably lie between the easy-to-tell ends of the spectrum?
As an example, there's still room for argument about the Dual_EC_DRBG algorithm, and RSA making that the default PRNG for some or all of their products. RSA denies taking money for it. Nobody can make an airtight case for the NSA deliberately weakening it. Yet we still all kind of view Dual_EC_DRBG with suspicion.
The RSA deal was 10M, this was after its acquisition by EMC so 10M out of 25 billion in revenue makes it a bit an odd sum to introduce a backdoor.
Not that RSA hasn't done so in the past, but it was public when encryption software could not be exported RSA cam to an agreement with the US government to export it's 64bit encryption, it would use a 40bit private key and append the message with an additional 24bits which are transmitted in clear text and complete the private key to it's 64bit size.
This was a government mandated "work reducer" so the NSA if need be could decrypt the message as they had the ability to break 40bit encryption and the rest of the 24 bit of the 64bit encryption key was known for each message.
This wasn't hidden, this was even released in a conference with great pride that RSA could now export it's mail encryption suit to Europe.
Germany made a fuss about this 5 years after the fact, but everyone pointed and said well they announced it in a conference.
People are trivially easy to bribe. The KGB bought an FBI agent for 22 years for a total of only $1.4M.[1] And an army intelligence officer for only $250K over 25 yeas.[2]
It's strange to think that corporate employees would be that much harder to corrupt, especially for their own country.
Corrupting an RSA employee sure, making a deal with a corporation for measly 10M nope.
Human assets is a different story, 1.4 and even 250K while not being a large sum is quite a large amount of money.
Those assets are usually developed by other means, in most cases the money is largely irrelevant even if the asset refuses to take money tradecraft mandates that they'll be forced to take it it just to leave a money trail that they could then be threatened with if they no longer with to comply.
Additionally being paid also makes the asset more invested in their duty because it creates a link like with a would be employer, and allows them to quantify their assignment with a positive reinforcement no matter how big or small it is.
So money which is paid to long term assets isn't really a bribe, an initial sum might be used to turn the asset in the first place but it also usually require them to be in a position to need it e.g. gambling debts, medical bills etc.
Generally assets that can be bribed will not be farmed in such manner as the cases you've mentioned, people that can be easily bribed cannot be trusted which isn't a trait you want in an asset.
Eh are we sure the 10M was the only thing being paid? Perhaps the NSA sweetened the deal for key decision makers.
Even without that - it's free money for a benign reason, while doing the security services a favour. "Hey we've got this new crypto thing that's amazing but people don't believe us. Add it to your product, and we'll give you token compensation. Also we'll also make a note of what great guys you are."
Yet he got away with it! They only popped him after he got greedy in retirement and they setup a sting!
I know of employees busted for internal schemes they cooked up (it was pretty cool working with BigCorp to setup an international sting to get them). It simply cannot be that hard to find people that need or want money and get them to compromise things for relatively small amounts of money.