For this to be announced as a CISA bulletin implies some importance
since it gives visibility to these types of vulnerabilities.
Generally humans-being-humans, if there is a way to bridge the air-gap to make their lives more pleasurable/efficient/whatever, the humans will do so. I've seen many examples from within TS SCIF facilities and other environments.
One also wonders how many of these incidents are not being publicized. We know banks/etc. don't like to publish the fact that their security is lax and has been breached. Same for industrial/corporations/governments.