Consider the possibility that governments can create their own exploits. If they have a large quantity of server side bugs the marginal utility of one more is effectively 0. It is safe to assume that they have existing capabilities in that area. Just mentioning a LAMP stack means SQLi as the most likely vector. No point in paying for someone to run sqlmap for you... ;)