I think you've done a great job of articulating a problem that I've also been stuck on for a while.

Quantifying cyber risk and the amount of improvement brought by remediations is a really hard problem! I see it as a "low-probability / high-impact" event, and those are difficult to model from a statistical standpoint without a lot of carefully-collected data. I'm right there with you in thinking that the best current route is to rely on the insurance company actuaries to drive industry best practices. (Quantifying risk and the impacts of remediations is their full-time job, after all.) Even if you don't buy cyber-insurance, you could still use their requirements as your security baseline.

Eventually, you would hope that market forces guide the insurance companies towards actual ROI best practices around cyber security. Insurance companies that overestimate risk will get underbid, companies that underestimate risk will have to pay out more claims (ideally).

One approach I've used to handle this for now is to simply measure my security posture vs comparable companies. This is like the "secure your doors better than your neighbors secure theirs" approach. I don't actually know the likelihood of a thief trying to force entry into my back door, so it's hard to calculate ROI on a floodlight, alarm system, etc. But if I know my neighbors all only have a locked doorknob for back-door security, I would feel comfortable with just a deadbolt and an ADT sticker in my window. I pass this reasoning right up the chain: I don't have enough data on the quantitative ROI on these improvements, but here are what similar orgs are doing. If we try to do the same, we'll at least be on par for competitive advantage.

If you do find some good sources of data on this though, I'd be very interested.