First, you do not need to be the Russian intelligence services to pull off this attack. Given prevailing trends in the vulnerabilities market this sort of attack would cost at most $1M to pull of which puts it within the capabilities of maybe ~50,000,000 individuals worldwide let alone organizations. If the SVR is anything like the CIA they are probably running at least 1,000 programs of similar scale simultaneously, so it is not as if the attack was supported by the full weight of the Russian intelligence services.
Second, a company's threat model should include entities that want to attack them. Given that they are claiming the SVR wanted to and did attack them, it would be ridiculous to not include them since that would be empirical evidence that they are an actual threat actor. Even if we were to ignore empirical evidence any company like SolarWinds that sells to wide swaths of government agencies in critical capacities should absolutely be including foreign intelligence services in their threat models and should probably be required to demonstrate effectiveness against attacks funded to at least the $100M level since only at that level does it start to actually get problematic for state actors to run operations.
I'm not convinced about the arguments of cost. There are a whole lot of presumptions in that chain of reasoning. The initial vector seems to not require any high-prices vulnerabilities, but simple authorization by pass, e.g., bypassing 2FA. Which could well have been a root account. From there, get the keys that Duo depends on, then you own the whole thing.
I have always argued that doing what I call "defense by presumed motive". The logic would have been "ok, UNC2452 wants to access DHS hacker's email. I'll go after SolarWinds". Better spend your energy on basic security principles.
If you want to see the difference between just throwing money at the problem and an actual tier 1 threat, compare this with the Chinese iPhone 0day from fall of 2019. Probably a multimillion dollar exploit, with terrible quality and no opsec on the c2 side . Just spending money doesn't get you the kind of expertise that's needed to pull off something like this.
It's a bit like arguing Bill Gates is a serious threat to any naval power because he can afford to buy a nuclear attack sub; there's more to it than that.
Second, a company's threat model should include entities that want to attack them. Given that they are claiming the SVR wanted to and did attack them, it would be ridiculous to not include them since that would be empirical evidence that they are an actual threat actor. Even if we were to ignore empirical evidence any company like SolarWinds that sells to wide swaths of government agencies in critical capacities should absolutely be including foreign intelligence services in their threat models and should probably be required to demonstrate effectiveness against attacks funded to at least the $100M level since only at that level does it start to actually get problematic for state actors to run operations.