I think it's really difficult to come to any kind of firm conclusion about what NSA can and can't break, even with a background in the material. I tend to doubt NSA has a world-beating RSA class break locked away. But I don't think people should be making decisions based on Snowden's personal technical opinions.
"No decrypt available for _this_ PGP encrypted message."
You don't write an error message that way unless the code has a success case as well.
I'm sure he said "to my knowledge" or something to that effect. That is, at least for at least relatively far into the circles of confidence, people did not know about encryption being broken algorithmicly or PGP broken in practice.
Russia has world class cryptographers too, and may have beaten the NSA to the punch. Snowden is after all currently living under FSB protection, which I doubt came for free. Someone willing to sell out their country would likely sell out its people too.
To be sure, that's an important fact. And it does mean that PGP (and for that matter, similar cryptosystems with robust implementations) create a palpable and useful protection against this kind of analysis.
But in the event that the NSA (or other agencies engaged in signals intelligence) have an attack wholly unknown to the literature, it's unlikely that it will be provided in the same toolchain as hunky-dory man-in-the-middle style attacks, such as those disclosed in Snowden's famous slides.
I'm not saying NSA can break PGP - I think they almost certainly can't. But Snowden's revelation on this point shows only that the analysts he was supporting don't have access to novel attacks, not that novel attacks don't exist.
PGP uses RSA which means it's not forward secret. That means, when the agencies hack endpoints to steal PGP keys, they can use them to retrospectively decrypt all PGP-encrypted emails that user has received from their contacts, even if the user has deleted the original message long since.
So no, NSA can't break RSA (assuming it's at least 2048 bits) or AES, but they can bypass the encryption by hacking endpoints. PGP's algorithms are not weak, the key management is extremely weak.
