For any security project when we're trying to use risk to inform our software development, operational processes, the current state of available data is not particularly helpful. But even if it was better than it is currently (and we had statistics), its not likely to help much when it comes to risk. Good example from Nassim Taleb in AntiFragile:
"A turkey is fed for a thousand days by a butcher; every day confirms to its staff of analysts that butchers love turkeys "with increased statistical confidence." The butcher will keep feeding the turkey until a few days before Thanksgiving. Then comes that day when it is really not a very good idea to be a turkey."
What we need is something predictive, but currently we cannot really accurately describe the past or present, so we're a ways away. What to do? One way to think about it from Howard Marks - we can't predict the future, but we can at least prepare for it.