Zero day malware is malware that hasn’t been seen before. Zero day exploits are exploits that haven’t been seen before. It’s pretty simple. The thing is the name kind of implies that it’s a “zero day” only until it’s discovered and after that it’s just some exploit in the wild, which will be patched.
The thing is there’s a significant amount of time between:
1) The time it’s infecting people and the time we realize it’s infecting people
2) The time we realize it’s infecting people and the time it takes to patch it
3) The time it takes to patch it and the time it takes to deploy the patch
4) The time it takes to deploy the patch and the time it takes for users to actually install it
You’re not looking at a very short time frame here. Number 1 is the shortest but 2, 3, and 4 can take a long time. Multiple days, weeks for some users.
Some programs get around (4) with automatic updates but even if the user installs immediately they’re actually vulnerable for about half the year in terms of days where they can be exploited. When you consider that users are usually waiting at least a few days before installing the updates they’re vulnerable for pretty much the majority of the time.
I think it’s important to note that because people are often like “Oh, well who cares about 0days it’s usually users who aren’t patched who get infected” — well, most of us aren’t patched for most of the year.