Problem five can't be mentioned. It's classified :-)
The United States government has published its new policy for publicly disclosing vulnerabilities and security holes. The new rulebook [PDF] – and the decision to make it public – comes following a tumultuous 12 months in which Uncle Sam's chief spy agency, the NSA, was devastated to discover part of its secret cache of …
"informing US and allied government entities of the vulnerability at a classified level"
Presumably those governments will patch against the vulnerability, and also warn their
chums critically important companies to patch against it.
So when a new bit of malware trashes all the small companies but doesn't touch the big ones or the government then it will be pretty obvious why.
A better solution?
How about everyone starts thoroughly testing code before it's released? Instead of rushing code out the door and telling everyone that it's now over twice as fast as six months ago, and built on a completely overhauled core engine with brand new technology - wouldn't it make sense to be able to say that it's now more secure?
If the code is now twice as fast as it used to be, are you still checking inputs for buffer overflow?
"thus when the NSA toolkit was leaked online and into the hands of WannaCry's developers, there was no patch available to protect users"
Actually there was .... or at least there was by the time WannaCry was deployed. Microsoft had been quite quick about developing a fix for the vulnerability; the problem was that a lot of people had not been nearly so quick in deploying said patch.
(There was also an issue of people containing to use an unsupported operating system without either isolating from external contact or paying for the support. But that was much less significant.)