Given the billions that Microsoft makes every year, I frankly find it amazing that Microsoft cant hire a bunch of hackers (in Russia) whose sole objective in life would be to find "holes" in its software paying them American salaries.
They do.
They do hire security researchers in the USA, Russia and other countries (including many repented criminals).
They do have public rewards programs for third-party researchers, hackers, etc.
They do purchase vulnerabilities from criminals auctioning them.
They do purchase vulnerabilities from gray brokers who work with governments and corporations.
They do use various automated tools based on mathematical proofs or heuristics to detect vulnerabilities.
They do organize heavy security reviews to make sure that every line of code is re-re-read by various programmers.
They do implement processes to make sure that every employee understands how security problems appear, how to avoid them, and their consequences.
They do offer assistance and tools to third-party vendors, especially device manufacturers who have to provide drivers, to ensure that they do make a good job.
It is not enough. Vulnerabilities and bugs remain in your Windows, your Android, your iOS, your ATM, your TV, your coffee maker, your car and plane's autopilots, governments' nuclear cases, ... They exist both in the software, in the hardware and in the human organizations. They always will.
You can try to decrease the probability of occurrence with various methodologies like the ones used by Microsoft. For some devices you can try to keep things minimalist by not optimizing and removing features (no user interface, no network, ..).
But the only real solution is to expect that things will go wrong and make it tolerable. Any data on a connected computer will eventually become public.
And why is nobody hacking Russian email-agents?
Because it would be illegal and employees could be jailed. Besides Russia could sue MS in an US court and win.
Because MS has nothing to gain from it.
Because it would be a very bad PR move: people do not want to see corporations attack countries. Maybe you think it would be fine if they targeted Russia, but Russian and Chinese customers will think otherwise.