If you look at NSA's TAO division [or some others], they specialize in looking for such zero days. They have used many zero days that are a lot harder to find/utilize than this one. They have 30,000 people working for them. Even if only 1,000 are looking for zero days full time, this is a lot of manpower to throw at the problem
Odds are pretty high that the NSA had, indeed, found the bug. But, they decided they had a shiny new toy for their arsenal. They didn't see the bigger picture that this vulnerability would become so widespread (e.g. not just servers, PC's, etc. but also routers, DSL modems, home routers, ...) that it would compromise systems we depend upon (e.g. secure banking, confidential medical records systems, to name but a few). Even if a few spies/terrorists got tripped up by this, the collateral damage count for this makes the "do not disclose" decision to be the wrong choice. With friends like the NSA, who needs saboteurs ...
Some of the FOSS is high quality indeed [I've even written some ;-)]. But, it's either Linux/BSD kernel, or where the code is contributed by paid employees of a given company (e.g. the Linux USB 3.0 driver is first rate, because it was written by a woman at Intel who is their point person for USB 3.0). Other FOSS is written by fresh grads who need/want street cred in order to get their first programming job. And some FOSS gets taken over by a small group with a "vision" [cult] that refuses to take suggestions/criticism, like Gnome 3, and gets train wrecked in the process.
YMMV ...