I think the point here is that VISA, being the company that actually has to deal with these transactions, have looked over their millions and millions of daily transactions, are aware of the patterns for this exploit and has determined that IF it were to happen, it would not be to an unmanageable extent. Given what’s required for this particular exploit, they’re likely dealing with actual real situations in the world (not just in a lab) that amount to many orders of magnitude larger than the worst that this situation could ever cause.
Security Researchers HAVE to make things sound scary so that you’ll read their articles and view their videos. Ad revenue is a POWERFUL drug.
BUT, in today’s complex systems, where any individual member of the system could be exposed to several critical exploits, many companies have a “no-trust” configuration. Even if a member of the system is exploited, it’s not automatically trusted into the next part of the system. This means that safeguards in OTHER areas of the system can effectively obviate any individual member’s exploit. Security Researchers, of course, know this, and know those other safeguards are in place. But, again, they’re looking at the dollars those ad views will drive and, hey, what’s a few million folks becoming irrationally fearful as long as those researchers can keep the level of living they’re accustomed to?