A single pass of zero's is enough, as getting any additional data of such a drive is so expensive, that for most data it's simply not worth it.
The only easily recoverable data will be in deactivated sectors. That's between 512 and 4096 Bytes of contiguous data for each reallocated sector.
There may also be data stored in the "host protected area"; most drives allow for part of the drive to be restricted - it won't show up on scans, and the space is not reported by the drive, so the OS/partition tools/wipe tools can't see it. However, it can be read. It's frequently used by OEMs to store recovery tools, but some rather poorly-designed tools have used it to store software licensing data, crypto keys, etc.
Commercial drive wiping tools have the ability to "sniff out" HPAs and wipe them, as well methods of dealing with reallocated sectors (usually by completing the wipe but not issuing a certificate of wiping for the drive).
Like SSDs, HDDs also support secure erasure - it just takes a few hours to run. However, secure erasure is difficult for many people, because most PC BIOSs automatically issue a "security freeze" during POST which blocks the secure erase function. Often, drives can only be secure erased after hot-plugging into a running system. Even, then there is limited secure erasure software available; and much of it is provided by OEMs and locked to their drives.