I'm pretty sure the majority of companies won't take these risks seriously until there has been at least one headline-grabbing story about real financial damage done to a company thanks to a successful prompt injection attack.

I'm quite surprised it hasn't happened yet.

The issue with the more concerning types of these attacks is they are either never spotted, or they take months to execute. Public disclosure is unlikely in a lot of cases. Even widespread internal disclosure is probably not a common occurrence.

Routinely large public companies are however having to admit breaches and being compromised so why we are making the modern day equivalent of an infected USB drive available is puzzling.