@ErikPost Its about time we got away from qualification of risks, and put arbitrary values on impacts, and threats. I suggest we approach this with real data, using quantification for far better messages towards the C-Suite and using their own language.
I.e. Open Group - FAIR method or a commercial example:
Linking below an information sheet looking at the extent of ransomware attacks from the past year globally - it includes a heatmap of publicly disclosed attacks by country as well as pulling together information from various different sources to give a complete picture on what is happening.
It's growing all the time of course - 2020 the average cost of remediation was around $0.76m and this year it is $1.85m (according to Sophos).