I'm interested in the moral hazard this creates if this practice becomes widespread. If your servers are "too big to fail", and the FBI/NSA can reliably zero-day into your servers to patch zero-day bugs, that seems like a pretty good deal for skimping on some of your security budget.
FBI/NSA doesn't give a damn about some unpatched servers in the wild. They are probably clearing web shells in order to bait hackers into reinfecting the same servers, and try to locate/attribute the original bad actor.
