Personally, I can see an argument for the NSA to "hoard" exploits to use for their intelligence purposes. However I think there can be agreement that once that if that information is leaked, there is a duty of care to responsibly disclose vulnerabilities to the affected software vendors. I think that is what they did here siince Microsoft patched the affected Operating Systems that were still supported in March.
Interestingly, a lot of information online regarding this issue is demonstrably inaccurate. I've seem posts saying it doesn't affect Windows 10, or only affected XP, for example.
Fact of the matter is that Windows 10 was vulnerable to the exploit, unless users had taken steps to remove SMBv1/CIFS support from the "Add/Remove Windows Features" control panel. The
Security Bulletin released in March lists Windows 10 as an affected system and lists it as a Critical Remote Execution Exploit. Any Windows 10 system that does not have that patch or the May 9th Security Rollup (KB4019472) is vulnerable to this exploit, and Windows Vista through 10 are all affected similarly.
The misconception that Windows 10 isn't affected can be blamed on Microsoft, since Microsoft said that the issue does not affect Windows 10, even though it does, which was a PR Spin because they consider Windows 10 a service.
In the case of businesses still using XP, it's really a case of "Play stupid games, win stupid prizes".