"According to US government guidelines the NSA is supposed to assess the seriousness of zero-day flaws it finds and inform companies if it feels they are serious enough. [...] That didn't happen, and a lot of security people are going to be asking why not."
I really don't think anyone will be asking why not; it's completely bloody obvious.