[kdbg]

Are there stats, not that I'm aware of. There might be its just not my area. I am more aware on the exploit development side of things though.

The process of going from a bug to a weaponized exploit though is still largely manual. Yes some tooling exists that may automate certain tasks, however these tools often only work as proof of concepts. ROP compilers are a great example, they "work" but they are are usually far more prone to crashing than one compiled by hand, as such wouldn't be used in the real world.

Thats just kinda the general truth, ignoring the many cases where the automated offering just don't work at all, when they do its often not weaponized to a useful degree. You might thing that you could then use what it does as a starting place, but it takes a lot of time to now reverse what the script did and figure out what can/should be changed, similar to having just done it yourself in the first place and not being constrained.

That said there has been some research in augmenting the workflow by discovering exploit strategy candidates. I forget the name right now, but there was a paper early this year presenting a capability guided fuzzer that focused on "fuzzing" OOB Write vulns to expand them and discover viable exploit strategies for them.