1.For security zones, you can group subnets/interfaces into the same security zone based on the security profile of the hosts in those subnets. You do NOT need to have a separate zone for each interface. When you create security zone names you associate one or more interfaces with that zone.
So example security zones using the principle of similar devices in the same zone might be.
Servers - each subnet allocated then to server functions and rules written both from outside zones to access the servers and from Server to Server for the communications needs between subnets.
Users - where internal user devices connect organized by physical areas, departments or other parameters and rules written for access in and out of the devices.
Guests - where vistors connect to access the internet but no internal resources.
IoT - locked down and isolated per subnet for the various equipment and devices performing functions.
2.For mgmt OOB on a separate network using dedicated ports in their own routing instance would be the best practice if practical. If this is not practical you can create virtual interfaces on the ex VC that can be accesses inband for which ever subnet or subnets give you the best access with reasonable security. ( for the inband, is it the same as example that i have shown above).
Do not manually configure vme interfaces these are system interfaces. Your mgmt ip address will be on the layer 3 vlan interface that you associate with the mgmt vlan. The physical interface configured of OOB is me0.
Note that since you have a layer 3 interface on all vlans on the ex switch, you will be able to connect for mgmt to all of them unless you apply a firewall filter to limit access. There is no default security on these. I thought you wanted the gateways for all subnets on the SRX, if so you want to remove the layer 3 interfaces for all vlans except the mgmt one.