Want to hear my conspiracy theory?
Many Zero-days are intentional and they are intentional from two origins.
1. Software Company A- intentionally creates a 0day in their program, at the behest of an intelligence agency. Eventually the exploit gets publicly revealed by someone in the ethical community, at which point company A makes a patch but takes no flack beyond that.
2. Software Company B's underpaid employee A- drops a 0day into a program with the intent on selling it for a bonus. Once the 0day breaks, Company B makes a patch, determines who is responsible, launches an investigation, contacts the FBI, who subsequently note that employee A has a lot more money now.
3. And sometimes it's just plain bad programming.