It's a question of opportunity cost. The NSA has extensive resources, but it's unlikely that they can employ overwhelming resources (such as would be theoretically necessary to break tor) for every situation where overwhelming resources specifically directed are a theoretical weakness. At the moment, implementations are a much easier target, and so I don't necessarily think that it's surprising that they do have trouble with strong but imperfect systems like tor.
Perhaps once all implementation issues are removed from the security equation (I'll hold my breath while I wait...) it will be necessary to think up better systems. But right now, what's hard for us is hard for the NSA, and so that should be the guiding principle for strengthening current systems and developing new ones. I find that an empowering idea.
Yes - exactly. Opportunity cost is something that is not discussed enough. Conceivably, any "target" is vulnerable to every communication at the right price point. From technology solutions (provided by NSA), to in-field solutions (provided by CIA), we shouldn't believe that we can be totally "safe" from unwanted eavesdroppers.
It's not "if" Tor (and friends) are vulnerable. We should assume and operate like they are, but with some level of acceptable tradeoff. It's like a safe or ATM - neither of these guarantees perfect security; they just provide enough security for the expected loss of their contents.
The problem - it's just very hard to evaluate the opportunity cost, since we don't really know how wide-spread or "easy" it is for privacy to be breeched. These types of revelations help establish the "market price" for which we can use as a basis for evaluating our options for communications (including traditional man-to-man transport).
I personally don't have any communication which I consider privileged enough to warrant the extra hassle of running Tor, etc. I consider a TLS connection with my bank secure enough for my concerns and I don't have the desire to pull otherwise questionable content from any type of onion router. Therefore, I enter the market with a different expectation of features and cost I'm willing to pay.
Perhaps once all implementation issues are removed from the security equation (I'll hold my breath while I wait...) it will be necessary to think up better systems. But right now, what's hard for us is hard for the NSA, and so that should be the guiding principle for strengthening current systems and developing new ones. I find that an empowering idea.