I don't think background noise of broad, low-effort phishing emails can be directly compared to a more focused attack. If you work somewhere with interesting data the odds of a good phishing attack leading to an exploit could be much higher because you're being specifically targeted and they're not going to send the message until they have a current exploit ready (probably hoping to get it in before your IT department's change window, too).
> If someone had a working browser exploit, wouldn't they just deliver it to their targets via an ad network?
I've heard more people at enterprises using ad blockers for security so I wouldn't rule that out but in general this is hitting that the broad vs. targeted distinction I mentioned: each time you use an exploit you're risking discovery, which will lead to it being patched & AV signatures going out. Using an ad network increases the number of people who are not your target getting the payload, not to mention any scanning the network does, and since ad networks require payment there's another trail pointing back to you which might not otherwise be the case if you are hosting things on compromised servers.
