I don't think it says that about the set of all vulnerabilities (IOW - citation needed!).

It does say "In this paper, we consider only exploits that have been used in real-world attacks before the corresponding vulnerabilities were disclosed" so it's unsurprising that in their dataset this is the case :)

Yeap, you're right, I misread. Here is a quote from the paper: "15% of these exploits were created before the disclosure of the corresponding vulnerability." So there's a lower bound.