I don't know but I suspect it's probably in the clean up.
For example I've cleaned up websites with malware infections that ultimately failed to operate (they had errors in their implementation).
The infections thus caused zero direct damage. There was nothing on the front end that changed and no hidden phishing pages were operated, etc.. However the infections nonetheless had to be cleaned up, the source of the infections found, modifications to the sites made (where possible) including increased protections and reporting mechanisms.
It's like losing your keys - locks might need changing, those locks might have multiple keys, etc., the locks might be secure facilities than need to be checked for incursions (eg inventories made) and such ...
For example I've cleaned up websites with malware infections that ultimately failed to operate (they had errors in their implementation).
The infections thus caused zero direct damage. There was nothing on the front end that changed and no hidden phishing pages were operated, etc.. However the infections nonetheless had to be cleaned up, the source of the infections found, modifications to the sites made (where possible) including increased protections and reporting mechanisms.
It's like losing your keys - locks might need changing, those locks might have multiple keys, etc., the locks might be secure facilities than need to be checked for incursions (eg inventories made) and such ...