>>26no u. WannaCry (and Petya) made a big splash in the media but most of the money generated in ransomware campaigns has nothing to do with exploits (similarly: Stuxnet/Flame/Duqu made the news but most malware isn't as complex and doesn't use 0-days
1). usually, it's social engineering: it's not 'hey, run this .exe', more like 'hey, there's important information in this .doc file but you need to enable macros to see it'. social engineering is how most 'cyberattacks' work and you can't prevent that even if you ram a big black formally verified Coq into all the software you run.
1 - an aside: the 0-day used in Stuxnet exploited faulty logic, not C bugs