If you/anyone has a story about a desktop Linux user being targeted and exploited by a known issue though, definitely share. I could be forgetting something or unfamiliar.
Much like CVE counting, I don’t think using news reports is a reliable or thorough mechanism for collecting data on this. 
The number of silent attacks that are never even discovered let alone reported on likely outnumber attacks in the news by orders of magnitude… how would you even gather data on them?
Speaking of silent attacks, improving the system’s security architecture isn’t just about preventing attacks that leverage design flaws. Having a robust security architecture can mitigate the impact of zero days or other kinds of attacks. How many XZs are currently in our supply chains and go undiscovered? We shouldn’t be just waiting around for the next patch to fix the next disclosure. We should be hoping for the best scenario, but preparing for and assuming the worst. Jia Tan went undiscovered for years, and was almost not discovered at all. It’s not unreasonable to assume that somewhere in our current systems (foss or otherwise), there are yet undiscovered supply chain attacks.
Also, are you only including home users here? What about desktop linux users inside of large enterprises? Cases where a targeted attack could mean targeting an organization for its money, IP, data, etc. My point is that it’s not useful to talk about security in terms of the lowest common denominator or pathway of least resistance, because then you’re just playing whack a mole. If developers in the desktop linux stack were to start focusing heavily on security, and the rate of zero days were to fall, attackers using them would just move on to new approaches. Relying on CVE counts/journalists/news reports for security analysis is a reactive approach. Security needs to be proactive and in-depth. It’s this depth of proactive security that’s lacking on linux, as opposed to timeliness in fixing zero days (although that’s of course still important).
by a known issue
This was a consequence of a lack of proper sandboxing and a lack of userspace mandatory access control . Unintentional damage is still damage
which you would think is an easier approach.
If your options are to hire a red team to develop an attack vector pathway using known architectural weaknesses vs simply buying a zero day, I would imagine the zero day is cheaper.