This is part of the larger problem with the NSA's dual responsibility in the U.S.
It's the safecracker/national security hacker of choice, but it is also in charge of cybersecurity for the U.S. On top of that through it's big budget, relationships with other sigint agencies, alumni community in private industry and the ability to rouse support from various arms of the military-industrial, intelligence or law enforcement communities in the U.S. and probably a lot of U.S. allies, it has huge influence in IT security around the world.
So if you are an IT security company, the NSA can really hold your feet to the fire. If you tweak them by outing their malware without permission, you can find your products getting bad security reviews from the NSA, or no reviews at all, or getting inexplicably edged out of government contracts or work with defense/government contractors in the U.S. and overseas. That's a lot of potential customers to risk losing by through exposing an NSA or 5 Eyes operation, even if that operation is a threat to IT security in general.
Plus there is just the national security/sigint aspect of their organization. If you are the CEO of even a huge IT security vendor like Symantec and you get a call from the Director of the NSA, you are probably going to take the call simply out of interest in what he is going to ask you about and what he thinks the potential alignment might be between the world's premier sigint agency and your company.
The NSA really needs to have it's cybersecurity responsibilities moved out from under the agency. It basically allows them to corrupt or appear to corrupt much of the IT security industry. I can understand why the NSA wants to keep that responsibility in-house, it allows them to control a lot of the industry. However, its a bad deal for IT customers and the IT security industry itself.
Biting the hand that feeds IT
