Stingrays don't do shit for this. That's mostly real time location data focused in by tricking your phone into reporting its location to a fake cell tower controlled by an adversary. That doesn't get into the data in your phone, and even if someone used the fake tower to man in the middle, by default pretty much all of a phone's Internet traffic is encrypted from the ISP.
The world of breaking disk encryption on devices is a completely different line of technology, tools, and techniques.
But yes, exploits are sold by gray hats rather than by white hats and closed. The NSA is supposed to be on top of this, but instead of closing exploits, they keep them to enhance their anti-terror spying, which they then trickle out to US Law Enforcement, especially if there's loot (liquid assets) that are easy to seize.
Law enforcement in the US is mostly a highway robbery racket.