That's totally fair, but I hope that each of those organizations has a vested interest of exposing each other; at the very least it's in the NSA's charter to protect American businesses against attacks, I have no idea if they feel this is an effective way though. So yes, it's risky.
But Microsoft has all those disadvantages too, even though it's harder to get moles inside it's easier to have their stuff undetected (and in the case of the NSA it might even be done with full cooperation). Plus, the market share makes them a bigger target.
Outside probably hypotheticals, what we know for certain is that microsoft is attempting to monetize their new windows on the back of user's data.
While I mentioned the NSA, really the bigger threat is a guy (or hacker group) who wants to pull off a million dollar heist. The NSA can get into (practically) anything and everything.
To get a job at MS, you have to have a real life reputation. Once you get in, there will be others analyzing your code, and your bug may not make it to release.
To insert a bug into Debian, become a packager and you're done. Access to one of the most popular server (the important stuff is here) OSs (Debian, Ubuntu) on the web.
You're busted? Create another account and start over.
If the NSA were trying to protect American businesses against attacks, they would responsibly disclose vulnerabilities they discover. But for me most part they hoard them.
Outside probably hypotheticals, what we know for certain is that microsoft is attempting to monetize their new windows on the back of user's data.