There's no financial incentive for anyone to say "nah, it's not that bad".
It's true that there aren't models that can clearly and appropriately estimate losses for an entity. This is due in part to the large costs that aren't a known in that exposure of credit card numbers. Addressable's such as client confidence, the manpower and time to disseminate information to the victims, the time spent eradicating all flaws being levied by the actors which alone are not inclusive of your overall downtime and even public shame, all items hard to quantify a numerical value for. We can argue about models, but the truth is there is never a model for every scenario. You can only go by speculation and assumption. So it's with that understanding that I somewhat allow an inflated estimate of real damage. If at the end of the day, the horror stories read online push users and admins to educate themselves, even if out of fear of overly estimated loses, I see no harm.
Personally, I fell the more appropriate response is to give clear guidance as to how these incidents were born. It's only through proper education of users and admins alike, that we'll be able to stymy those attempting harm.
In concurrence with your comment, there is no doubt that there is sensationalization on the part of everyone at play. Antivirus and malware removal manufacturers want to project an image of fear. It's this sense of fear that drives their market. However inappropriate it may be, it at least drives discussion. It's only with proper education that users see the difference between realistic threats and the hollywood movie projections.
There are political and economic forces that benefit from fanning alarmism about cybercrime, just as there are companies like MS that incur losses from such alarmism. When there's so much uncertainty about what reality looks like, either side can cite figures that support their own agenda. Kudos to the researchers for bringing some cautious sanity and objectivity to the issue, instead of just running away in the other direction.