Microsoft's report has very clearly skewed the numbers in their favor. By redefining zero day to mean a known vulnerability without a patch, they are completely ignoring attacks from actual 0day - "exploits [that] are used or shared by attackers before the developer of the target software knows about the vulnerability."

Don't worry about zero-days, says Microsoft

2011-10-11

http://www.net-security.org/secworld.php?id=11759

Microsoft released its Security Intelligence Report volume 11 (SIRv11), which found that less than 1 percent of exploits in the first half of 2011 were against zero-day vulnerabilities. In contrast, 99 percent of all attacks during the same period distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities.

SIRv11 provides insight into online threat data between January and June 2011 and analysis of data from Internet services and over 600 million computers from more than 100 geographies around the world. It focuses on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches.

[..]
main page ATTRITION feedback