It is well known in the security community that attribution is hard. Attacks do usually not leave enough evidence to attribute it to a specific group. However, the one reason it really made me think is, because the talk I was listening to was very explicitly avoiding attribution. Which makes any risk to prepare for – and spend money and ressources on – very diffuse and therefore difficult to evaluate for probability.
If a product can safe you from a thread that cannot be identified or quantified, this lacking relationship makes the statement FUD, Fear, Uncertainty and Doubt.