The BND/BSI split as implemented in Germany is relatively unique precisely to separate offensive and defensive concerns. The biggest issue IMHO is that they both report to the same federal office.
I worked on SINA components in the past, so I know first hand what they're capable of and what some parts of the German tech media claimed they're used for. (tl;dr: there's very little overlap between some of the more popular claims and reality)
I suspect something similar happened here: BKA and some contractors build the trojan software. BVerfG requires that these tools are limited in their impact, and lawyers would also have a field day in court with any case where the software was used, if it can be shown to create security issues and so the BKA requests a security audit from the BSI (that's part of their charter) and gets it. That might have meant some code (in form of patches) flows back, but given that it's the BSI we're talking about, I doubt it.
Unfortunately the BSI is chartered to do security reviews for federal software, so they can't simply refuse. Meanwhile BSI officials are paranoid because they know (from the SINA/ISP surveillance FUD) what public reception of such a job looks like and tries to do PR management (and fails, which surprises probably no-one).
The BND/BSI split as implemented in Germany is relatively unique precisely to separate offensive and defensive concerns. The biggest issue IMHO is that they both report to the same federal office.