It just seems the either no one is measuring realized risk exposure numbers for their firms, or mums the word on their findings. The information that I collect is strongly covered by Non-Disclosure Agreements. To help with this, I want to start publishing de-identified statistical abstracts.
I included some of these statistical abstracts in the financial section of a paper published by ANSI. I am a coauthor on, "The Financial Impact of Breach Health Information, A Business Case for Enhanced ePHI Protection" http://webstore.ansi.org/ There are more, yet wrapping one's head around measured risk in this area takes time.
Still, there is a substantial financial costing approach as well as a selection of known failure paths that could be estimated. I want it to be an incremental step towared a better answer to the following question. How does anyone justify Information Secuirty Risk Exposure without any notion of what a data flow is worth and what a misrouted data flow might cost? In medical terms, "When can spending $10,000 on InfoSec be better for patients than buying a new heart monitor?"