According to Gartner, through 2020, 99 percent of exploited vulnerabilities will continue to be known for at least one year. The breach of TalkTalks customers via a simple SQL injection is a good example when zero-day is not really needed to get to the crown jewels. Many companies host in-house web applications riddled with high or critical vulnerabilities, which an experienced attacker can detect and exploit within a few hours. Cybercrime groups will even carefully patch the vulnerabilities after a successful exploitation to prevent their competitors from getting it.”]
Source: https://www.csoonline.com/article/3143713/shall-we-care-about-zero-day.html