I think you're half right. Security is just an added expense. OTOH as someone else pointed out it's also good PR to say you've found x bug and have fixed it. And bad PR when it leaks that the NSA found all kinds of ways to exploit your software and you didn't. So there are costs on both sides. In the end the main reason I have no confidence in MS is that they are, after all, a very large American corporation, and the NSA and all the rest of the cop agencies exist to protect them. So why wouldn't they cooperate?