Velocity9490 These zero-days are pretty much single-use though
That's absolutely not the case. One smaller competitor of NSO that got on the news recently was selling packages of one hundred infections for $8 million.
Velocity9490 After an exploit gets deployed, it's likely for the device to be sent to an organization like Citizen Lab where it is closely examined, the malware is inspected and the vulnerability is reported to the vendor of the device/software and fixed
It doesn't really happen like this. Governments will have rules for having sensitive devices go through forensics regularly but of course that's not every day. Folks like journalists, politicians, dissidents, etc, will only send their phones to services like Citzen Lab in case of suspicion. Most of them don't even know about it.
And even then, it takes time to analyze the devices, discovering the bug that allowed the infection is probably far from guaranteed, than fixing the vulnerability is also not immediate, and, to top it all off, some people never update their phones, some people use old phones that won't get updates no more, so even patched vulnerabilities can still be used with some success.