One possible argument: You can't get "mutually assured destruction" from vulnerabilities. With guns you can say if you invade here I'll shoot you, if you were to bomb me, I'd bomb you back. But with vulnerabilities you can't even say you have them as that would help the other party find them. You can't say unleash a cyber attack on me and I'll do the same back in the same way. It seems rather than being both an offence AND defence like guns, they are an offence at the expense of your defence.
The point is not to use them#, the point is that the opposition believes that you have them, they are effective and that you will use them. In that sense the Snowden leaks have been a powerful propaganda win for NSA offensive cyber: everyone knows they have real capability. Likewise we know that the Russians have offensive capability against civilians (DNC, Ukraine power grid, etc), a propaganda machine, and a counter-cyber team (Shadow Brokers). What we don't know is how good the Russian/* military cyber capability is, and how strong the defence would be.
Personally I think most defences are rubbish, it is MAD, and the financial implications would be dire.
It reminds me of a classic line from Spies Like Us: "A weapon unused is a useless weapon."
