Evidence suggests that scaling quantum computing to the large number of qubits required to decrypt 2kbit RSA would be extraordinarily expensive, if possible at all. The largest quantum computer[1] built so far outside of secret institutions has, I believe, 14 qubits (I may be a little out-of-date, but not by a long way). Scaling has occurred at a fairly constant linear rate of about 1 qubit per annum since the earliest machines were produced. There's no signs of an exponential take-off the way there was with conventional computing hardware, which suggests that the expense of scaling to larger and larger quantum computers doesn't get decrease the way it does with silicon.

Some data points:

1998: 3 qubits

2000: 5 qubits

2001: 7 qubits (largest achieved to date with single atom containing all qubits in different degrees of freedom)

2005: 8 qubits

2006: 12 qubits

2011: 14 qubits

This is the best private industry can do. I'd be surprised if the NSA were doing more than a factor of 10 better. To crack 2048-bit RSA, about 3000 qubits would be required[2], or about 20 times my best guess as the limit of what the NSA could have achieved. Besides, Shor's algorithm is not instant: even if it's faster than any classical algorithm, it's still third-order polynomial on the number of bits in the input, and quantum computers don't perform individual operations particularly quickly, so even if we assume the NSA has managed to make a quantum computer that's a thousand times faster per operation than existing private systems, to factor a 2048-bit RSA key on a 3,000 qubit computer would take about 8.6 billion operations running at about 10-100us each, which is to say approximately 1 to 10 days of time on the (enormously expensive) system (of which they almost certainly only have one, which will therefore have a very long prioritized queue of jobs waiting for it).

And upgrade to 4096 bits, and they'll need a quantum computer with 6,000 qubits, and the job will take somewhere between a week and three months to complete.

[1] I'm excluding so-called quantum annealing computers from this, e.g. various systems produced by D-Wave, because they cannot be used to run Shor's algorithm, so are not a threat to RSA. This is not so much an entry into the debate as to whether or not they should be classified as quantum computers, but a practical decision based on the subject under discussion.

[2] traditionally, this would be 4096 (twice the number of bits in the input), but this arxiv paper claims 1.5 x bits in input or fewer is achievable through a method I don't really understand