What we really need is a new agency just like the NSA except for it's only mandate is closing holes everywhere even if those holes are actively being exploited by the NSA and CIA. Such an agency would actively discover holes, patch them when possible or disclosing the vulnerabilities to the engineers responsible for the software or hardware in question. Furthermore, the NSA and CIA would need to be barred from trying to get any access to this organization for its own use.