The basic issue is that every nation is actively buying and using zero-days and doesn't want to stop. And companies like NSO aren't really (so they say at least) hacking anybody. They just develop and license hacking tools to governments to use for "lawful" law enforcement purposes. So nobody wants to ban the zero-day market because every country is a huge buyer of zero-days themselves and it is hard to ban selling zero-days to sovereign governments who are using them in accordance with their own laws (even if the regimes in question are terrible and using them to violate their citizens basic human rights). After all, it would be a bit awkward for the US to demand that the NSO Group stop selling it's hacking tools to Saudi Arabia while we have a multi-billion dollar defense industry selling the Saudis all sorts of advanced weaponry.
The ability to inflict massive damage to a nations infrastructure is now part of modern weaponry. It's akin to asking militaries to stop buying weapons. We have basically split the atom here, we aren't going back.
If you don't want people hacking into your systems you need to go full Galactica, disabling networks and have stopgap measures on every critical device.
There's a great book that talks about this ecosystem (of buying bugs, vulnerabilities, and other 0days), among other cyber security related things:
This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
To me the only reasonable survival strategy is redundancy, but I have no idea how we can reach there.
Fresh book recommendations delivered straight to your inbox every Thursday.