The one thing that corporate IT departments are not is a profit center. But the trend towards developing offensive exploits and selling them to government agencies could change that tomorrow if CEOs can be convinced to take the opportunity. Up to this point, CEOs and their Boards of Directors have been reluctant to spend too much money on cyber security because, frankly, it could easily become a serious money pit. A typical incident response bill for a breach can easily exceed the mid-six figures. Saudi Aramco and Sony probably paid a hefty multiple of that. Then there's the 5 figure monthly bills for threat intelligence feeds, plus the charges to protect against Denial of Service attacks, AV, IDS, IPS, etc. And the worst part of this money pit is that the company can only hope that their previously compromised network is clean. There's no way to tell for certain because it could still contain un-discovered malware.
The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you've viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.
The U.S. government is a customer for offensive exploits and so are a number of allied governments. In fact, if they aren't already doing this, defense contractors like Lockheed Martin, Raytheon, Northrup Grumman, and many others should already be mining their own networks for undiscovered malware, reverse-engineer what they find, and use it to fill orders by DoD since they've already got the contract vehicles in place.
Some of the more forward-looking DOD contractors who have robust internal Computer Emergency Response Teams (CERT) staffed with engineers who can do reverse-engineering could be in the best position to offer free or low-cost network defense to corporations who want to "flip" the malware found on their network for a nice profit. The best part is that everybody comes out a winner except for the malware writers who may have spent a lot of time and money developing 0-days for targeted attacks (i.e., the creators of Stuxnet, DuQu, Gauss, and Flame). In my scenario, they've merely provided a sellable commodity for free to the targets that they were hoping to exploit.