[staticassertion]

There are exploits though - for example, the lowest barrier to exploit vulns like 'zoom bombing' are being exploited quite often.

Others, like perhaps an RCE, are not being seen. This is for a lot of reasons.

* Many are being found by whitehats/ researchers, so by the time they're made public an attacker is already playing catch-up - it can take days or weeks to build a good exploit chain, so starting from "A patch is out" or "The vuln is disclosed" is not encouraging.

* In general, exploitation of vulnerabilities is actually quite rare. Patching practices, mitigation strategies, etc, have radically improved over the last decade. It isn't that the attackers can't do it, but the majority of attacks will just phish you, install malware, and try to make money the simplest way possible.

Does that mean you accept that risk of vulnerable software? These are not strong mitigating factors and are mostly about risk profiling and motivation. So that decision is up to you.