I can’t say I am comfortable with this.
But regrettably it is the nature of people, someone wants to buy a weapon, someone will sell it to them.
If encryption is listed as a munition then by no stretch then should exploits or the knowledge to create a specific exploit a vulnerability.
With a national budget to spend, it is not inconceivable that you could create something with far more impact then Stuxnet. In fact this makes me rethink where those Stuxnet vulnerabilities came from.
I see no difference between this and arms running.