To be fair the vast, vast majority of exploitation that we see (especially in the news) comes from sub-par security setups and poor training/architecture. That’s no even going into security monitoring which most companies don’t or barely have.

Zero days account for very small amount of exploitation in comparison and by definition are unpatched so I think the commenter was right to point out the basics.