Comment by eviks
2 years ago
It may cost a million, but it doesn't follow that every use(r) costs the same (could even also call this a category error).
Neither is "going to get you" a given, maybe another agency is in charge of the alternative methods of getting you, and they have different priorities that doesn't include your target (or alternative ways are much more expensive or too slow to be worth it)
The point is that it's incorrect to think of the US (or any other country's) IC as a force of nature, blasting out 0days to random civilians just for kicks. These things are expensive, very expensive, and are carefully orchestrated. They don't look anything like the average civilian's security breach, which is somewhere between "accidentally leaked their own password" and "TSA asks you to unlock your phone."
Neither is it correct to believe the myth of careful orchestration with only rational institutional goals and deep care about other people's money (though again, develop/use are different "these things")