While it's not stockpiles of vulnerabilities, I don't think it's valid to say there's no evidence of vulnerability feeds. For example a bigger company can get early notification of embargoed vulnerabilities for various projects they use, sometimes with early patches.

I'd be surprised if USG didn't have access to pretty much every important feed like that. This gives every notified party at least a few days to act. (defence or otherwise)