Perhaps. But what percentage of exploits are actually zero days versus, say, 10 days or 100 days?

Most exploited code probably exists in the application layer in a high-level, memory safe language. I would wager that but I don’t have time to cite ten papers on HN.