Defense in depth and multiple layers of security should ideally protect against zero-days; see the Swiss cheese model of accidents for an example; most aviation accidents are rarely caused by a single factor but an improbable combination of factors.

This is why I also think “zero trust” and internet-accessible SaaS has done so much damage to the industry. Before, if your version control server has a vuln, the attackers still need to get on your VPN to even be able to scan for that vuln. Now, your version control server is on the internet and/or is an SaaS and all it takes is an exploit or a set of phished credentials for anyone anywhere in the world to get in.

> Defense in depth and multiple layers of security should ideally protect against zero-days

Absolutely agree, and that's why instant security in a can (just add water!) cannot work (as you have been saying)