I think it's like a lot of things: if somebody wants to steal your car they will, if they want to break into your house they will, and if they want to break into your computer they will. Doesn't mean you shouldn't try to secure those things the best you can.More security theater and progression in the cybersecurity arms race it is then?
Personally I'd rather not keep anything of personal/irreplaceable value connected to the internet full time as there always flaws (even in the "new enhanced"/"patched" versions). If it's important it (or a backup) should probably be air gapped in my opinion - and preferably with with tightly controlled access to the physical air gapped system/backup.
Seen/heard of too many breaches (to include the OPM breach a several years ago) to have any faith in new software or patches..... particularly given the poor system/software engineering practices I've seen at many companies (of all sizes).
No matter how good a defense, unless it's paired with an effective offense the defense will be overcome sooner or later..... unfortunately it doesn't seem there's much interest/capability in prosecuting cyber-crimes/attacks unless it reaches a "newsworthy" level.....
Prosecution can be hard because while you can usually track down who it is that doesn't mean you can do anything about it, plus it seems our police model is still stuck in the world of geographic jurisdictions, not to mention a general level of ignorance when it comes to digital crime. Unless something gets the attention of the federal government, most other agencies are ill equipped to deal with it. There's also the cost issue for all that. A top cybersecurity expert can make more than a doctor or a lawyer so hiring a team to work those kinds of cases gets pricey real fast.