I didn't imply that you should. My statement still stands. While "they shouldn't have done X" is not security, that doesn't mean that the statement is devoid of meaning, or that we should ignore the question of whether or not "they should have done X."
Edit: Your statements seem to imply that because "100% security" would mean that anyone "doing X" would have no result, then everyone should be allowed to "do X" without question.
I am saying that regardless of what we'd like to expect, we should prepare for the unexpected. Picking your attacker is doomed to fail; don't try. I don't think this is controversial.
It isn't. I also fail to see what it has to do with the discussion at hand. The issue IMHO is not that CMU did research on Tor, or that the US government paid for research into the security of Tor, but the question if the FBI basically outsourced investigations to researchers, and if yes, on what legal basis this happened.
Yes, that they succeeded to collect information is a failure of Tor and makes it less trustworthy, I don't think that's contested by anyone here.
Attacking real users in the process of finding security bugs and how to deal with captured data is the (separate) ethical issue here.
Edit: Your statements seem to imply that because "100% security" would mean that anyone "doing X" would have no result, then everyone should be allowed to "do X" without question.