Re: You're only as good as 'your weakest links'...
Yes, I did read what you wrote, and I found your reasoning unpersuasive.
I do apologise for my sloppy use of exploits instead of bugs (maybe vulnerabilities would be even better).
I also think I expressed this wrongly: "Operationally, you can't assume your 0day is really a 0day for your enemy - maybe they found it last week, so your deployment strategy should assume that many, or even most, of the
exploits new vulnerabilities that you discover are already known." Sorry for my sloppy writing.
"Finding and exploiting bugs is significantly more work than developing patches." I suppose that depends on the bug. There are cases where malware exploiting a bug has appeared very soon after the patch was released. Which means that either it was quite simple to exploit, so the malware developer(s) thought it worthwhile to try to catch the slow patchers by reverse-engineering the patch to understand the bug and then develop the malware using it, or they'd already discovered it and were quietly using it on high-value targets, so it was no trouble to do a mass release when it was going to loose value anyway.
"It's pretty rare that the same bug is discovered and successfully exploited independently by multiple actors." Got any statistics for that? That seems like an overly-optimistic assumption. Be a pessimist: if you've found a bug, it's low-hanging fruit that almost anyone could find and someone probably already has.
At least we agree that we have to assume there are exploitable bugs we have no idea about, and we need proper layered security.