The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.
You are confused as to what NSA's "defensive" mission is. They aren't there to be the defenders of the internet. They aren't there to be corporate America's QA department. They aren't there to review open source and provide fixes. They aren't there to "make the country's computers more secure".
They are there to protect DoD classified systems. That's the defensive mission, as an agency under the DoD umbrella. Protect DoD classified systems and anything that deals with military activities. All this extraneous whining - none of it is their mission.
It's a simple calculation on their side as far as the defensive mission - does "vulnerability X" involve classified DoD systems or ones that have military information? No? NOT THEIR PROBLEM.
Don't like it? Well too bad, you don't get to gripe when they don't follow their mandate and also gripe when they do.
If you want to complain, take that up with congress or the president to alter their mandate/directive. Or, take it up to congress to provide more funding for the agencies that are actually supposed to be looking out for commercial internet use and regular gov sites - NIST and DHS. Or, lobby congress to create a fully civilian non-DoD agency that's there to provide an extra security layer for the world at large. And in that last case, don't bitch about the government spending money when clearly the free market is failing to provide a solution, since it appears greedy for-profit corporations are happy to use but not contribute any resources towards this critical software infrastructure.
With the constant complaining about them and government in general from all the anti-government libertarian neck beards here, why would they even bother producing a fix? Who would trust code they released? This would not be like the selinux release, which is optional and provided new capabilities - if they produced a fixed openssl nobody would use it until code reviewing for years. They'd spend more time with PR and a ton of bullshit than doing nothing at all which is free from their perspective. If they disclosed the bug, they don't have any power to compel "the internet" to upgrade to a fixed version, so they'd be blamed for exploits and vulnerabilities during the time servers were slowly upgraded.
Whatever they do, somebody would gripe and given it ISN'T THEIR JOB in the first place, doing nothing looks like the game-theory resulting best call.