I think you're right - as I said on a sibling comment, if beans are all you count, and bean-counters rule the roost, you can write this off as a one-off, and point out you had 30 years without a ransomware, and therefore we don't need to do anything...
That's surely how it would be represented in order to retroactively justify negligence.
But a more precise calculus would take into account that (1) the proliferation in ransomware is recent and explosive, and (2) getting hit by one ransomware group doesn't mean a second group won't strike soon. (Although I'm guessing the second wouldn't be allowed to use the same ransomware-as-a-service platform, as that would harm the platform's reputation.)
