If an operation using these exploits was ever tumbled by an adversary, then they should have started the vendor notification process immediately. You must assume the exploit will be found and reverse-engineered.
This was me about a decade ago. I couldn’t find any such companies. So I became a consultant and an incident responder. Sometimes you need to change horses.