Mistaken approach
ENISA has misunderstood the goal of these "studies". They are not made to explain an actual cost, they are made to push the hysterical fear agenda to scare punters into investing into security (any kind, doesn't matter as long the contract is in the tens of thousands) and therefor need to publish big numbers because that's more impressive than saying that a typical cybercrime will actually cost an admin a day/week of work to ferret out and lock down the affected parts.
Even if your admin is paid in gold bars, you won't hit a number that is anywhere near the million mark, so not impressive enough.