I feel a bit like I might be opening up a can of worms with this one, but I can’t help but see parallels with a lot of what is going on in security.
There is a discussion that came up recently on the risk analysis mailing list about whether vaccines were effective or not. While it appears to be "conventional wisdom" that they help many people, at least some folks question that. This website has a lot of statistics that would suggest that there were long term reduction trends to begin with and further suggests that vaccines are way overrated.
I have not attempted to verify the veracity of these claims; I only note that we have similar challenges of addressing causation with respect to many IT-based threats, attacks, and compromises. It would be useful if we had data like this, but remember that we don’t normally get insight into actual incidence and prevalence data.
If I recall correctly, I think this exact topic was discussed in Freakonomics as an example of counterintuitive causation.
In particular, they looked at flu vaccinations and found that vaccinations best reduced deaths in at-risk populations not by targeting the most at-risk populations (elderly and the infirm), but the group transmitted the most infections to others, specifically 3-6 year old children.
As to long-term trends, that’s all well and good, but given that the flu still kills on average about 30,000 people per year in the US alone, I believe that reducing the spread is still good risk management.