You're definitely right that there are a lot of uncontrolled variables in those numbers.
- relative numbers of transactions, as you point out (though keep in mind that computer fraud includes ATM fraud and is not just internet commerce; online transactions only account for about 2-3% of fraud in this study). That does make it hard to evaluate relative risk.
- the numbers concern only those who ultimately figured out how the attack happened. It's not clear to me how that would skew the numbers.
- one category is "online transaction" which could overlap with the category where information is misused by and individual at the company who obtained it.
On the second point, though, it doesn't matter whether phishing attacks can net thousands at once or not. What matters is your exposure to risk.
Every plane crash front page news. Since the numbers involved at once are (or can be) large, it tends to dominate our attention. Strangely, though, this is even true for plane crashes that only kill 20 or so. Meanwhile, a full 747 worth of women are killed by their boyfriends and husbands every month, generally without major headlines, while roughly a 747 full of people are killed on the highways every three or four days. Sure, lots more people are driving or have husbands and boyfriends at any time, but that's sort of the point - we tend to not fear that which is comfortable and familiar, regardless of the true risk (this is also one of the major factors in avalanche fatalities - people tend to be skiing/snowmobiling slopes they've done before).
Of course, because of problems with the data just mentioned, the analogy does run into trouble. We know that adjusted for relative exposure, the per hour risk from flying on a commercial aircraft is lower than the risk of driving in a car, so we can categorically say that the obsession with aircraft accidents is irrational. Since we don't have good control data, we can't make the same sorts of conclusions from the BBB study. It may in fact be the case that online transactions are more dangerous.
What I think is interesting, though, is that there is still a prevalent fear of giving out CC numbers online even on the part of people who otherwise hand out their CC willingly at grocery stores and gas stations and throw out their bank statements and tax information without shredding them. Even if e-comm is slightly less safe (and that's just for argument's sake), for most of these people the exposure to risk is far higher through other channels, yet the fear is lower. There is a disconnect there. Despite the problems already noted with the data, the BBB study is a means of answering those fears in a way similar to the transportation risk data. Unfortunately, crime statistics are notoriously hard to get good controls for, so we can never expect the same sort of quality as transportation data.
The main point, though, is that if people want to reduce their risk, the answer is to be careful who gets their CC number, online and off, and that means checking for an SSL connection and scanning for spyware, as well as shredding statements and keeping track of their wallets.
For those folks who depend on e-comm revenue (not me actually) and have to face skeptical customers, it is also useful information to allay the fears of customers and I think justifiably. Personally, I trust Amazon to handle my credit card info more carefully than I trust a given waiter who I don't know either and who dispappears into the back with my CC for 10 minutes.
Where I think the mass attack scenario is worrisome is when you're looking at it from the standpoint of a company who might be liable for thousands of compromised CCs as a result of lax security on your site. That is a legitimate concern, because there one attack has the chance of destroying a business. However, many businesses have been destroyed by fraud on the part of one bad employee as well. Security needs to be comprehensive.