IDC did a survey sponsored by Archer and found that most of the respondents (41%) still use a 1-5 ranking/ High-Medium-Low model for risk ranking.
For more details, refer to the full report:: Understanding the Modern Needs for Risk Management (archerirm.com)
Here is a screenshot from the report:
I think the actual number is higher if you take risk management practices within Information Security. Despite its limitations, qualitative approaches (High-Medium-Low, 1–5 rankings) remain practical for many organizations. Also most risk managers in Information Security have not been formally trained on probability or Operational Risk management methodologies.
Obviously quantification in actual cost terms is even better. Probably this might change if more companies use FAIR like methologies for quantifying risks, esp now that a lot of GRC tools also facilitate this.
