That 65% figure in the press release has an interesting origin. It seemed oddly specific to me, so I had a look.

In the actual report main text, it says that the risk is between 35% and 65%, but does not explain the calculation, if any, that results in those numbers.

It's not until one reaches Appendix A that one finds that this really means that it has been assigned a value of 3 on a scale of 1 to 5, meaning "medium risk", and the value 3 is arbitrarily assigned that percentage range, originating with the U.S.A. FDA's Office of Information Security, where "low risk" (2) is similarly 10% to 35% and "very low risk" (1) is less than 10%.