kjj nailed it. The 21st century is far more open (and getting more open/decentralized everyday) then the 20th century was. Today finding even an academic flaw in say sHA-256 is the equivalent of winning the nobel prize in cryptography. It instantly elevates you to the elites of the field. SHA-256 has been extensively studied not just by countless governmental and corporate researchers but tens of thousands of academics all over the world. The idea that the NSA has a "lock" on cryptography is ... well sad. The irony is that the people claiming to be anti-state end up spreading so much FUD about the invincibility of the state that they end up being the biggest supporters of the state.
Is the NSA doing crypto-analysis of modern cryptographic functions? Sure but it is no longer a the largest area of research. Modern cryptography is an amazingly well built "lock". Breaking these modern locks is increasingly difficulty expensive and time consuming. However at the same time despite having access to these superior locks, many people still leave the window unlocked (sideband vulnerabilities), or hide the key under the mat (poor key security). The ROI% on going "around" the lock pays a much higher dividend then going through the lock and that is where the big dollars are being spent.
Even with a large budget the NSA does have finite resources and is limited by real world constraints like energy density, and computing efficiency. Even if NSA did (after billions and decades) "break" SHA-256 most systems will no longer be using it in a decade or two. A huge amount of resources spent on something which has an amazingly short shelf life. The NSA does a lot of defensive cryptanalysis. It isn't trying break SHA-256 so much as make sure it can't be broken. The NSA knows that US interests will use SHA-256 for the next decade or so. It is looking for flaws that others might also be looking for so it can advise other agencies on the relative security and make recommendations on upgrades.
Lets look at SHA-1 as an example. SHA-1 is considered cryptographically degraded. It shouldn't be used for any new systems and existing systems should migrate to new ciphers as quickly as possible. Still even if bitcoin only used SHA-1 (vs SHA-256 & RIPEMD-160 double hash) it likely would be secure from most attack even today.
http://en.wikipedia.org/wiki/SHA-1#AttacksThe estimated cost to perform a preimage attack on a SHA-1 hash is on the order of $3M per collision. Given the average value of an active Bitcoin address is <$3M it would cost more to exploit the known vulnerability and produce an alternative public/private keypair which could spend from a Bitcoin address then the address would be worth.
this vulnerability was first outlined in academic papers back in 2005 and is a carryover from the vulnerability known to exist in SHA0 since 1998. Should Bitcoin drop SHA-256 and go to the less secure SHA-1? No but it does give us some insight into how well built these locks are and how long it takes to develop a theoretical vulnerability into something which can be exploited in the real world. Over a decade of cryptanalysis later and the only real world attack vector involves millions of dollars worth of computing time. I would point out the all powerful NSA wasn't able to prevent the publishing of any of these papers outlining flaws in this and other algorithms. Even if at one time only the NSA knew about this vulnerability they weren't able to keep a lid on it. Others found out and were able to move to more secure algorithms.