"...so critics are actually arguing that the government should spend millions on vulnerabilities in order to disclose them to vendors."
Why, that sounds like a marvelous way to spend taxpayer dollars since I always thought my tax dollars were supposed to work for me!
"Security pundits fear that information exposed in the release will allow cybercriminals and less capable nation states to up the ante."
A) If the CIA is buying these exploits, wouldn't it be a bit naive to assume that no one else has a checkbook.
B) Equally simplistic is the idea that the folks the CIA bought the exploit from are the only ones to discover it. This is not a zero sum game and it's also not like guarding nuclear secrets where you need hard materials in addition to knowledge (OK, you need a computer, but...).