How do governments & cyber criminals develop the zero day exploits that they then use to infect your computer systems to steal data or eavesdrop on you? Simple… they buy them.
The going rates for exclusive use are thus:
Application | From ($) | To ($) |
Adobe Reader | 5,000 | 30,000 |
Mac OSx | 20,000 | 50,000 |
Android | 30,000 | 60,000 |
Flash or Java Plug-in | 40,000 | 100,000 |
Microsoft Word | 50,000 | 100,000 |
Windows | 60,000 | 120,000 |
Firefox/Safari | 60,000 | 150,000 |
Chrome or IE | 80,000 | 200,000 |
IOS | 100,000 | 250,000 |
Source Forbes
The market is made up of small companies such as Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, in Malta. There are also a range of brokers such as The Grugq who will act as intermediaries between the developers and the governments/crime syndicates as well as some major Defence Contractors such as Northrop Grumman and Raytheon.
In terms of how effective the exploits are:
The average Zero Day attack persists for 312 days before it’s detected, vulnerability purchase to public disclosure is between 133 and 174 days.

And how widespread?:
The Known Unknowns | NSS Labs has determined that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. The NSA has a budget of $25M to purchase this kind of kit and GCHQ can’t be that far behind.