There's a lot of boasting yes, but as I understand it a lot of security bugs are discovered because they're being exploited. If you do all your hacking in a test lab and only use it sparingly and targeting specific computers it might take a long time before it ends up in any security researcher's lab. For example, take this recent bug from Microsoft, it affects every IE version back to IE6 - possibly older since they don't test further. Assuming it was in the original IE6 code base that's a bug the cyberwar division might have been sitting on for 12 years. Multiply that with lots and lots of top notch people and a system that don't disclose and (mostly) don't exploit, just hoard for a rainy day and I have no problem believing they have a pretty solid stash.
However that is also their biggest limitation, if you start using them they'll also become exposed so they're more like deep undercover agents. They're not going to "waste" them trying to catch the odd criminal, even if it's for serious crimes. They're military assets stockpiled for a cyberwar, like being able to crack the Enigma code during WWII. Some of it for espionage but I'm guessing most for being able to strike both physically and electronically at the same time, paralyze or even mislead their systems while you move in.