Under that justification, it would require at a bare minimum giving the reader the proper context, e.g., "similar non-breach threats exists for a large number of common online services, such as [list examples the reader is likely to know]".
Sure, but also, my impression is that similar threats do not exist for e.g. Google (because of heuristics on login attempts, scans on the backend for breached passwords, aggressive and un-silenceable notifications about new logins, a well-staffed security team, etc.). So an accurate statement is that most online services that do not specifically invest in account security are vulnerable.
Then customers can decide whether they want an internet-connected home security system from a company that doesn't invest heavily in account security.
