If we look at operating systems in a Thomas Hobbes Leviathan kind of way, then Microsoft, through its monopoly on spying on your computer and dominating your system, is imbued with a vested interest in preventing anyone else from doing the same since Microsoft wants to conserve that power for itself. So in effect you get one big bad guy rather than thousands of them. Well, at least that's how it should work.
You're wrong to compare these hacking tools to arms dealing. That's a terrible analogy because international arms dealers and their customers aren't going around interfering with the daily home and office life of ordinary Americans. Microsoft talks a lot about NSO Group, which makes tools that sound like highly targeted arms dealing. But let's not forget there's 10x as many smaller companies from that same country, which sell the tools for surveillance and hacking of ordinary people and businesses.
Just the other day I was reading about one called Komedia which sells Layered Service Providers that are used for things like building pre-installed lenovo laptop software that decrypts your https and routes it through some service which injected ads and broke nodejs. It's in my opinion criminality on a scale 100x worse than anything Aaron Swartz ever did (RIP) and for some reason "businesses" that do things like that are becoming increasingly normalized.
As I underderstand it "sells 0day to gov" and "sells 0day for crime" are distinct brokers, even though in some cases they purchase exploits from the same suppliers.
TFA is really only talking about the first group because (for obvious reasons) regulating brokers who sell exploits or tools for criminal purposes is not going to work. That's already illegal.
Insecure spyware/crapware is a distinct (commercial) market which doesn't overlap much with the other two and doesn't rely on "0day" at all.
Broadly I agree with your analysis re: Microsoft's motives here.
However I believe the OP's analogy holds if you don't overextend it beyond exploit sales to government.
You're wrong to compare these hacking tools to arms dealing. That's a terrible analogy because international arms dealers and their customers aren't going around interfering with the daily home and office life of ordinary Americans. Microsoft talks a lot about NSO Group, which makes tools that sound like highly targeted arms dealing. But let's not forget there's 10x as many smaller companies from that same country, which sell the tools for surveillance and hacking of ordinary people and businesses.
Just the other day I was reading about one called Komedia which sells Layered Service Providers that are used for things like building pre-installed lenovo laptop software that decrypts your https and routes it through some service which injected ads and broke nodejs. It's in my opinion criminality on a scale 100x worse than anything Aaron Swartz ever did (RIP) and for some reason "businesses" that do things like that are becoming increasingly normalized.