The CISA report saying most vulns were initially exploited as zero days is good news. We may be getting better at updating. Is "initially" doing some heavy lifting?

One of these vendors shipped known vulnerable Java libraries resulting in vulns despite being in the software tooling business ffs.