A vulnerability is just that
And this, ladies and gentlemen, is the problem with the concept of hoarding exploits - they get out.
This should be instructive for our governments when considering their various proposals to mandate 'crackable' encryption - these 'tools' they covet and demand are vulnerabilities and their existence is a security risk whether they are 'in the wild' or hoarded by a government agency or a private firm.
One thing we need to clear up is this misconception that having someone trustworthy controlling this information somehow makes it all okay. It doesn't; the vulnerabilities still exist. What has been managed is simply the knowledge of those vulnerabilities.
Someone else will come across the same vulnerabilities and, once that happens, you have instant risk to everyone using the software/hardware. There is also the possibility - some would say inevitability - that, as has happened here, the information will be stolen.
The fact that it has happened here should give every government pause. This is a company whose very reason for existing is identifying and understanding vulnerabilities. They get paid to understand the world of 'cyber security' and what is required to breach systems. They are a professional outfit with serious commercial incentive to keep this information safe* and they were breached.
Remember - a vulnerability does not magically disappear simply because only the 'right' people know about it. Sooner or later, someone else will - no matter how clever those protecting that knowledge or how sincere their intentions.
* - After all, if the vulnerabilities are patched, their products become ineffective and thus their business has nothing to sell.