The cost model also assumes non-criminal behavior. But for most cases where somebody would be motivated to find collisions for breaking a cryptographic scheme, they're unlikely to be restrained by the normal boundaries of the law.
IOW, for a criminal organization (or just a single criminal) with a huge botnet the direct cost might be closer to $0. Of course there's opportunity cost--botnets are often rented like a cloud service--but that's the case for everything.
Also, this is why I avoid bikeshedding technology like Argon2. If your password database is stolen, a 10,000 or 100,000 strong botnet isn't going to have much trouble cracking a substantial fraction of user passwords in that database. Memory-hard algorithms like scrypt and Argon2 are designed to thwart specialized FPGA- and ASIC-based solutions. But cloud services and botnets use general purpose hardware. While specialized hardware will always be more efficient, the scale you can achieve with general purpose hardware is mind boggling.
If people spent half the effort they spend bikeshedding password authentication and instead work to support hardware security tokens--both client- end server-side (i.e. with an HSM hashing client passwords using a secret key), we'd all be in a better place.
I remember when I first heard of git I wondered why it didn't use a member of the SHA-2 family (which had been out for several years by then). Even in 2005 I think that it was fast enough.
IOW, for a criminal organization (or just a single criminal) with a huge botnet the direct cost might be closer to $0. Of course there's opportunity cost--botnets are often rented like a cloud service--but that's the case for everything.