[NikolaNovak]

I don't know if this is pedantic, but op indicated "attacks" not "vulnerabilities". I would not be surprised if statistics in vulnerabilities are different than statistics in realized attacks?

[overthrow]

If there's a difference I'm open to someone citing a source quantifying it, but I won't quite be convinced by unsourced blanket generalizations that go against common wisdom

[ecdavis]

This page is informative: https://www.oaic.gov.au/privacy/notifiable-data-breaches/not...

> Just over half (54%) of cyber incidents involved malicious actors gaining access to accounts using compromised or stolen credentials.

My experience has been that most attacks are not that sophisticated and tend to target poor practices within organisations.