The weapons are on chips, firmware or in the OS! Did you not read that catalog that the Snowden fella kindly leaked for us?
Ask Intel about iAMT and vPro. Ask China about Manchurian Microchips. Ask Microsoft about NSAKEY again, because if we didn't believe their lame excuses 10 years ago, we REALLY don't buy them today.
Sure, the NSA probably has a large virus arsenal too, but when you can issue a National Security Letter to MS or Apple or Google or Mozilla, or simply activate one of our many programmer agents in place (such as in the IETF or at MS or Google) and just put the exploits wherever you like, viruses start seeming pretty silly. Heck, even our geopolitical adversaries are using US-made cyber-weapons - ahem, I mean operating systems and applications.