They shouldn’t if they’re spy agencies. Their job is to get in to get the information using any available means. They should if they’re primarily security agencies. Their job is securing stuff. Companies and government should simply build their systems in a way that follows established security practices. The customers should also vote with their wallet paying for robust goods. The vast majority of vulnerabilities can be stopped with a simple, memory-safe language with input validation or precondition checks on functions. These have existed since at least the 80’s on minicomputers.
The spy agencies shouldn’t be a large, risk factor to average consumer if other parties are being responsible. If other parties are being irresponsible, you have much larger risks to worry about from malware authors trying to hit the same system to do real damage to lots of users.
Just ask someone on the street, “Is catching a terrorist that you’ve never heard of in another country worth having your identity stolen by hackers for because government agencies and hackers are looking for and not disclosing the same vulnerabilities?”. It seems like most governments put catching terrorists high above security, privacy and dignity of their own citizens.
How many identity thieves are using iPhone 0 days?
Only the really really good ones! The good identity thieves still your finger print and own your TouchID, too!