Where do we draw the line? When millions die and billions of dollars in irrecoverable damage is done?
Who gets to decide whether the risk is acceptable? To whom do we turn to when it's found that their risk assessment was flawed, and we require compensation for their recklessness and negligence?
One could make the argument that given the depth of the NSA's capabilities they were in an unique position to know who, if anyone, also knew of the bug.
All governments are hypocritical. We have nukes, but you can't have them; we can spy on you, but don't spy on us; etc. It's the nature of self-interest.
Who gets to decide whether the risk is acceptable? To whom do we turn to when it's found that their risk assessment was flawed, and we require compensation for their recklessness and negligence?