True, but that's a general indictment of any spy agency for any country. More broadly than just software, their mission is to control information...who gets it / who doesn't.
This might sounds naive, but I am genuinely wondering whether they are failing at this mission in the long run, though? They can hardly believe they're they are the only ones in control of these exploits. Can't the same exploits be used against them?