When I worked on a cybercrime startup idea in 2008-9, every single "cost of cybercrime" calculation I found - even from government agencies - was based on the same original, unsourced estimate from MarkMonitor, which sells various brand protection services to IP holders (e.g. they'll watch eBay for counterfeit auctions of Rolex watches). After a few years, MM was able to cite the more "official" sources with a circular reference.
There's no financial incentive for anyone to say "nah, it's not that bad".
While I concur that objectivity is important, I would not completely discredit that there are severe economic concerns with cyber crime. I've seen first hand vast amounts of intellectual property being obtained illegally through coercion and manipulation of private and federal systems. Working in a position to detect and prevent you'll find often that the victims are not aware of their losses nor the secondary conditionals that drive associated costs. Most cyber crime in't as clearly defined as say a list of credit cards stolen from a services provider. These are the models you can somewhat quantify a worse case estimate for. All that's required is that you tally up the limits on all the cards and say the potential was for x amount of monetary loss. Is the number a realistic answer or projection? Not really, often it's way out of touch with reality, the question then becomes how do you define realistic loses?
It's true that there aren't models that can clearly and appropriately estimate losses for an entity. This is due in part to the large costs that aren't a known in that exposure of credit card numbers. Addressable's such as client confidence, the manpower and time to disseminate information to the victims, the time spent eradicating all flaws being levied by the actors which alone are not inclusive of your overall downtime and even public shame, all items hard to quantify a numerical value for. We can argue about models, but the truth is there is never a model for every scenario. You can only go by speculation and assumption. So it's with that understanding that I somewhat allow an inflated estimate of real damage. If at the end of the day, the horror stories read online push users and admins to educate themselves, even if out of fear of overly estimated loses, I see no harm.
Personally, I fell the more appropriate response is to give clear guidance as to how these incidents were born. It's only through proper education of users and admins alike, that we'll be able to stymy those attempting harm.
In concurrence with your comment, there is no doubt that there is sensationalization on the part of everyone at play. Antivirus and malware removal manufacturers want to project an image of fear. It's this sense of fear that drives their market. However inappropriate it may be, it at least drives discussion. It's only with proper education that users see the difference between realistic threats and the hollywood movie projections.
Interesting that this came out of Microsoft Research. Perhaps Microsoft was getting really annoyed with overblown estimates of losses from compromised Microsoft products.
There are political and economic forces that benefit from fanning alarmism about cybercrime, just as there are companies like MS that incur losses from such alarmism. When there's so much uncertainty about what reality looks like, either side can cite figures that support their own agenda. Kudos to the researchers for bringing some cautious sanity and objectivity to the issue, instead of just running away in the other direction.