...but we are putting a lot of time in to worrying about something that doesn't seem to be happening much.
I don't think anyone is panicking about the direct impacts, IMHO it is more about awareness and the indirect response. Given the rise of ransomware and real-world examples of ICS attacks you can no longer go into a facility and tell the management team - "The ICS computers require Windows 7, you can't apply Windows updates after it's commissioned, full administrator level access is required across the board, the ICS network needs to be isolated, BUT we need VPN access for remote support..."
It's just full of holes.