Bingo, or even creating their own exploit and releasing it in a way that does not tie back to them.
Realistically, a backdoor is the worst option for the NSA. A backdoor would be known by the people who implemented it, who, assuming it's a cooperative venture, would most likely be at the company itself. A backdoor would also be most likely living in the real codebase, able to be discovered by others, and, if somehow it leaks, it'll point directly at the NSA.
An exploit does not live in the codebase, could be blamed on others, and will produce the same results.
Realistically, a backdoor is the worst option for the NSA. A backdoor would be known by the people who implemented it, who, assuming it's a cooperative venture, would most likely be at the company itself. A backdoor would also be most likely living in the real codebase, able to be discovered by others, and, if somehow it leaks, it'll point directly at the NSA.
An exploit does not live in the codebase, could be blamed on others, and will produce the same results.