From definition, a 0-day is not patched in any system because it's not known. But back to your real question.

The biggest attack vectors are the browser, the mail client and direct network access. I would never use outlook, edge or connect my computer directly without NAT or firewall to the open internet. And would never open a website without a add blocker.

You can count all other known big attacks(on unpatched Windows 7!!!) on one hand.

1) Remote execution via Wifi Stack

2) Remote execution via True Type Fonts

3) 0-Click code execution via USB Stick Icon processing

Windows update instead gives AT LEAST Microsoft a steady remote code execution on your and millions of other computers. It's a really interesting attack target when you go big. Why I should trust M$ to get the security there right?