The issue with the more concerning types of these attacks is they are either never spotted, or they take months to execute. Public disclosure is unlikely in a lot of cases. Even widespread internal disclosure is probably not a common occurrence.

Routinely large public companies are however having to admit breaches and being compromised so why we are making the modern day equivalent of an infected USB drive available is puzzling.