Take the EternalBlue exploit [1] as an example, NSA had been aware of the vulnerability for years, but only informed Microsoft once it slipped out of their control:
"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[19] after delaying its regular release of security patches in February 2017.[20] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[21] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
...
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"
"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[19] after delaying its regular release of security patches in February 2017.[20] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[21] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
...
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"
[1] https://en.wikipedia.org/wiki/EternalBlue#Details