Trend Micro released a research urging organizations to focus patching efforts on the vulnerabilities that pose the greatest risk to their organization. 22% of exploits for sale in underground forums are more than three years old. The oldest exploit sold in the underground was for CVE-2012-0158, a Microsoft RCE vulnerability, which is still ongoing after five years. In 2020, WannaCry was still the most detected malware family in the wild, and there were over 700,000 devices worldwide vulnerable as of March 2021.
Source: https://www.helpnetsecurity.com/2021/07/15/exploits-for-sale/