Its not like this is that different than traditional "weapons" (i hate the "cyberweapons" analogy, but if the shoe fits).
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The NSO created/ran cloud instances for each client country and reviewed and approved every target. The didn’t sell weapons like in your analogy. They were effectively assassins for hire.
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
Kind of like the CIA importing heroin and cocaine. The laws cover this scenario but we have a problem with especially poor enforcement when the crimes are committed by parts of the government.
And meanwhile, if the government sells guns to cartels... no big deal. Rarely throw a fall guy under the bus. Or often not even that.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".