Zero click browser exploits still do pop up—it's also hard to say how common they are, because they're hard to detect, and likely to be used very judiciously by the people who discover them to avoid showing their hand. Ad networks have certainly been a direct vector for malware in the past.
Within the past few years there were quite many malicious ads floating around that would trigger a redirect on load on iOS Safari, sending the user to a scam page (phishing, "you've won!", or instant redirect to the App Store), no engagement necessary.
Some recent browser zero days/malicious ads situations, not necessarily "an ad loaded in my browser -> pwned", but reasonably applicable:
Within the past few years there were quite many malicious ads floating around that would trigger a redirect on load on iOS Safari, sending the user to a scam page (phishing, "you've won!", or instant redirect to the App Store), no engagement necessary.
Some recent browser zero days/malicious ads situations, not necessarily "an ad loaded in my browser -> pwned", but reasonably applicable:
https://www.bleepingcomputer.com/news/security/malicious-ads...
https://www.welivesecurity.com/en/eset-research/romcom-explo...
https://www.infosecurity-magazine.com/news/chrome-zero-day-f...