I completely agree with this.
Security researchers also are good "ombudsmen" in the ecosystem and very necessary, but 0-days are often overkills as long as the config is correct and default installation values can always be improved for new installations.
Right first time is always better.
Personally (as a vulnerability researcher) I have found that it is more difficult to find real hacks which take complete control of the system. So SAP is doing a good job in the product development integration with security input.
When a bug does appear, then there are a myriad of other conditions in the customer scenario and patch levels and config which contribute to it being a real problem with high impact / easy / high probability / remote without authentication.... or internal by the DB admin who 0-days his own system.
I don't mean to be flippant here as I take security very seriously, but some hype is also marketing.
Cheers,
Julius