"At the moment, we are in the face of an escalating threat".
A computer screen shows an error message after Britain's National Health Service was hacked.
Australia and New Zealand appeared to have escaped largely unscathed as they woke up for their first business day since a massive ransomware worm hit thousands of computer systems around the world, disrupting operations at hospitals, shops and schools.
It is believed to be the biggest online extortion ever, hitting British hospitals, German rail and companies and government agencies.
Referencing Microsoft ditching support for Windows XP in 2014 - despite the software remaining in widespread public and private use - Omand asked: "Should Microsoft have stopped supporting Windows XP so soon, knowing that institutions had invested heavily in it (at the urging of the company at the time)?"
According to University of Melbourne cyber security expert Dr Suelette Dreyfus, the attack would have been nowhere near as prolific had people run the updates provided by Microsoft in March.
"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen", Smith wrote.
He warned governments against stockpiling such vulnerabilities and said instead they should report them to manufacturers - not sell, store or exploit them, lest they fall into the wrong hands.
The NSA and White House did not immediately respond to requests for comment about the Microsoft statement, Reuters news agency reported.
The attack therefore spread faster than previous, smaller-scale ransomware attacks. "And that is a big concern because code, unlike physical weapons, is very hard to protect". The bureau had raised its cyber security of critical infrastructure, government departments and key businesses, it added.
Meanwhile, an executive at a cybersecurity firm that helped block Friday's attack said that new variations of the malicious worm are circulating - and that researchers expect one to develop that can not be stopped.
Ryan Kalember, senior vice president at Proofpoint Inc., which helped stop its spread, said the version without a kill switch could spread.