> much of the commercial world is thinly veiled NSA work
While security agencies of various governments are on the buy-side on the "zero day" vulnerability market, majority of commercial "cyber" security companies are not dealing in "cyber weapons" and are not involved with NSA. There are plentiful examples of successful "white hats": H. D. Moore, Dan Kaminsky, Tavis Ormandy, Michał Zalewski, even our own Colin Percival and tptacek etc. You don't have to do work for government to play in this area.
It's less of an excuse and more of a statement about the current state of reality. Are there examples and counter-examples and so on? Absolutely. Do any of them change the state of reality by existing? No. Is a very sizable portion of private-sector work today paid for by the NSA, directly or otherwise, including both defensive and offensive capabilities? You bet.
As a result, saying people should go to the commercial world isn't actually much of a change. It's not an alternative to the current reality because it is the current reality.
It's worth remembering that you probably don't hear about the big players very much in places like this. Endgame, MITRE, Leidos, etc. They tend to stay out of the limelight while still employing substantial numbers of people.
While security agencies of various governments are on the buy-side on the "zero day" vulnerability market, majority of commercial "cyber" security companies are not dealing in "cyber weapons" and are not involved with NSA. There are plentiful examples of successful "white hats": H. D. Moore, Dan Kaminsky, Tavis Ormandy, Michał Zalewski, even our own Colin Percival and tptacek etc. You don't have to do work for government to play in this area.