I'd really love to know how you know this. I can think of a handful of very public DARPA, NIST, USN and NSA programs that are dedicated to hardening (most are little more than academic curiosities, measured in millions) - whereas the NSA's black budget (measured in billions) easily dwarfs those. Are you saying that the NSA is secretly spending large sums of money on hardening software outside of their black cube?

I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.