As someone leading the privacy program at an organization that doesn't have that much personal data (relative to most businesses in our industry at least, and probably overall) and doesn't process it in particularly "interesting ways," I strongly disagree. The GDPR was and is a huge burden. You can believe that it's worth it without engaging in the fantasy that it's not burdensome, but don't deny the reality of the burden.
As someone who was involved in the GDPR work for an organisation that holds some fairly critical information about people and needs to share it with other organisations both as Data Controller and Data Processor, it really wasn’t too bad, mainly because we had already thought quite carefully about privacy and data security.
As a committee member on a local swimming club, it took about 2 hours.
There's a huge variance depending on the complexity of the business and how many different things you do. Most of the variance has little to do with the shadiness/lack thereof of what you were doing with the data or even how well it had been thought through. Most of the variance is in how many different types of things you're doing and how many different data inputs you have.
I've talked to colleagues who do a wide variety of processing for their controllers in a business with just a few employees, which is paralyzing. The company I work in is somewhere in the middle. I've also talked to colleagues at companies who only have a few inputs, and regardless of the volume of input that seems to be pretty easy.
I disagree. The sheer magnitude of fines that can be imposed makes the potential damage huge, even if the probability of being hit by them is small. This makes the risk of noncompliance high.