"So far, no miscreants have been caught exploiting the vulnerabilities in the wild"
... "We suspect this is part due to the wide rollout of mitigations, and part due to there being better bugs for hackers to abuse."
I suspect it's because there is no reliable tool for detecting cache side-channel attacks, so the attacks are flying below the radar. The techniques I've seen so far require calibration to avoid false positives, and it looks to me as though attackers could defeat those methods by reducing or disguising their activity to below the magic threshold that the detector is set to...
It'll be interesting to see how the first detection in th wild happens and how many false positives they had to discount. :)