Interesting read, but I think they made a wrong assumption at the end: the same methodology used by medicine may be used by cybersecurity experts. I think that threats and cybersecurity is people vs people battle while medicine is people (specific population?) vs nature battle. Technology (made by people) is changing and people can discover flaws at any moment that can have disastrous consequences when used by bad guys. They made a good point about proximity vs global reach, but it would be nice to add about potential scalability of attacks and economies of scale. Nature of this battle is far more dynamic than population-level efforts against cancer.
I agree and was thinking similar - cybersecurity landscape changes rapidly so gathering evidence about risk reduction of specific security action is much harder if not impossible.