Minimal risk for them. The state of monitoring as a whole is such that they can use such an 0-day for a couple of years before anybody notices it. It’s far more likely that the vulnerability is noticed and patched without anyone even realizing that it’s been actively exploited.