The Windows 0-day is CVE-2015-2360 from MS15-061, it appears to be the only one Microsoft admits to have been exploited or used to attack it's customers.
Even if it's the only one they've admitted to, I think it's readily known that Microsoft has numerous zero-days (discovered or not) in their software. Combine that with their prevalence in Enterprise businesses, they're going to be a logical starting point for any top tier blackhat org.
I don't think it's fair to say "every single piece of software", as the claim that it's impossible to write secure software is just a myth. It's not very hard to write a secure "hello world".
Then there's also Coq and such.
Of course, usually the amount of vulnerabilities exponentially correlates to the size of the codebase.