First, I'd be interested to see stats on data centers and public clouds not running machines with ECC memory. I'd estimate that ECC prevalence in servers in data centers is closer to "ubiquitously" than "sometimes."
I see this sort of ambiguous language about ECC and rowhammer frequently when discussion of rowhammer comes up. Has there been any proof-of-concept demonstration that rowhammer privilege escalation works on a system with ECC memory? If there has been, that's interesting and worrisome. If there hasn't been, that's not very interesting or worrisome; it's the equivalent of writing "hardware may not protect against yet-to-be-demonstrated attacks" (which is trivially and always true.)