And there wasn't interest with a 25+% install share on the web?

Not sure what you are trying to get at with your post? Are you implying that NaCL is vulnerable because of it's nature and now will be an major attack vector?

But NaCL in my view can be made(or already is in my opinion) solid and with more focus will become safer and coupled with fast updates, it should make it a lot less of an issue as Flash or ActiveX vulnerabilities have been.

I think the point is that the State Department is a juicier (or at least more high profile) target than 25% of people on the web.

Is it though? 25% of people on the web has to include some pretty juicy targets (like... Google itself, Chrome's probably pretty popular there).

considering that a flash movie embedded in an excel document is what took down RSA, I don't think NaCl is going to be moving much on the priority list of places to look for vulnerabilities.

One notable point: If they're using Chrome, they could actually uninstall flash on all the computers since chrome utilizes their own, embedded version.

As far as I know, NaCl is still only enabled for very manually installed Chrome Web Store apps. If they want to target the tiny niche of developers that have free-for-all NaCl turned on, well, have at it.