As usual, I want to point out how silly these analyses are, because there is a whole ecosystem of companies (incl. several directly connected to major US defense contractors, and many more across the NATO countries) that provide exploit development and maintenance and implant technology. The only reason you hear about companies like Paragon is because they're comfortable being named; the ones you haven't heard about are more capable and more plugged in.
Every time a story on HN comes up about how bug bounties are underpaid and how much exploits are worth, I recite the bit about how serious grey-market vendors can run up the score on a serious vulnerability by (1) selling the same vulnerability to every IC/LEO agency in allied countries and (2) selling maintenance contracts to convert those agencies into recurring revenue. These are the companies I'm talking about when I say that. I'm never thinking of Paragon.
Of course ICE has exploit and implant tech.