It is also worth mentioning that not all memory safety vulns are exploitable or have a theoretical exploitation vector. Many these days are similar to theoretical crypto vulns in that "some day" the capability might be developed. It isn't just exploit mitigations but secure development practices that make it hard enough to where even theoretical exploitation isn't viable.
About where that number was twenty years previous.
The big difference is that twenty years ago, the enemy was script kiddies. Now it's competent teams funded by multiple nation-states.