Which is why we're currently in a situation where zero-days that NSA easily knew would be leaked were not patched at least a month ahead of time were left unpatched. The costs aren't significant enough to motivate them to respond to their failures.
People like to blame the capitalistic incentives for not upgrading from Windows XP but to me the failure to respond to this obvious outcome of the leaking of NSA malware is far more insidious. These sys-admins managing old systems were not prepared for state-financed malware to be released to C-level cyber criminals as a 'threat-actor'.
The poor state of corporate information security has been exposed in the last few days, but even that sorry state is nothing compared to the failed responsibility of the US government to value their citizens over internal objectives. Which is increasingly a common narrative that is a unsurprisingly a result of the unencumbered growth of the security state and by proxy the executive branch whom they ultimately report to.