Something which occurs to me is that you might be saying unlikely, but using examples which are very likely, just infrequent.
Every analogy has its limits. Security incidents are both very likely and very frequent. They are constantly happening. Whether a particular person is going to get caught up by a particular attack, targeted or untargeted, is where things get less likely.
the likelihood of you being in a fire is actually pretty high, but it could be in an hour or it could be in 20 years.
This is even more true for security incidents. Fires are just far more visible and far less automated.
Whereas I feel like I commonly see people very worried about situations which are actually just quite unlikely to occur, and I commonly see people stoking those fears.
There’s a difference between being worried about something and soberly acknowledging and mitigating a risk. I don’t understand why you keep conflating the two. The people stoking fears are (anecdotally) usually the ones trying to sell you something anyways 
what I have observed is security measures being advocated for and implemented without ever establishing the likelihood that they’ll actually matter
Frankly, this is just not how things work in computer systems security and that’s probably why all these analogies are failing. Unlike in other scenarios, there are millions of possible combinations of attack vectors using any possible combination of vulnerabilities in different subcomponents of the system or even across systems within a network. Yesterday’s vector was one thing, and tomorrow’s will be another. You’re asking security experts to provide a crystal ball. There isn’t one. The landscape is constantly changing.
Also, your statements about trying to catalog past disclosed vulnerabilities makes me think you haven’t deeply looked into what risks are present and how defensive security works on a day to day basis in some of the largest organizations on the planet. I’m hoping the cavalier attitude towards this subject is motivated by that, because if it is being done knowingly it is fairly irresponsible. Large enterprises aren’t the only ones with things worth protecting. End users have data, privacy, accounts, personal information, etc that are worth protecting too, and they should be provided with education that soberly makes them aware of risks and points them in directions that mitigate those risks. To downplay the risk and in particular the poor state of desktop linux, or to point users in a direction that doesn’t properly mitigate those risks, is to do them a massive disservice and to imply that they don’t have something that’s valuable enough to be worth protecting against remote contingencies. I think that they do 