“The first major finding is that the average life expectancy of a zero-day exploit and its underlying vulnerability is fairly long: 6.9 years, or 2,521 days.
A quarter of the vulnerabilities do not survive to a year and a half, the report continues, and another quarter live for over nine and a half years. The researchers didn’t find a clear link between any particular sort of vulnerability—such as the operating system or source code type—that might dictate a short or long life either.”
Source: Zero Day Exploits Rarely Discovered By More Than One Group, Study Finds – Motherboard