Depending on who you're talking to, an app-level vulnerability in a Linode management console might be called a "0-day". But it's true that a CF stack flaw is not impossible.
The problem I have balancing the likelihood of CF stack bugs vs. CF app bugs is that I've had to assess a bunch of CF apps, and they're uniformly coded to mid-1990s best practices. No matter how many bugs have been announced in the CF stack, as a betting man my money would always be on CF app bugs.
