0days are not magic. Stare enough at code and you will find them. E&Y and the other Professional Services companies have a big pentesting team, and they would have made discoveries on their own regarding system security. Any company with a large security / research team would have 0days. What they do with them, (report, sit, burn, etc) is up the organizational and individual ethics of the operator.
Because 0-days are accessible to anyone with money. And Ernst and Young would have a ton of money, and plenty of opportunities where clients would come to them and hire them privately about issues like this.
Coming up with 0-days is moderately hard with your own cracking team. Buying them is an easy thing to do.
Ultimately, that's what 0-days are for in the wider market. You find one and sell it.
Ernst and Young are huge and do a lot of very sophisticated forensic accounting work. If they don't have people in house, they almost certainly have the phone number to someone who does.