The research was not about the scandal of data left behind. That data proved to be an excellent fossil showing a business running an insecure system without basic protections, failing even to install security updates for seven years.
This, though, only confirms your own account and probably falls well within the known range of shortcomings.
Doesn't HP, for whom the author of this report works, compete with sellers of point-of-sale systems, which have become default inventory and accounting systems for many small businesses?
After all, this is not a story about how data was actually used in a crime. The article: "Even second-hand POS systems aren't cheap, so it's unlikely that cybercriminals would spend hundreds of dollars on a chance that a few contain personal data." The businesses who use the system are not directly harmed, are probably defunct, and don't have IT expertise in house.
If there were headlines about this method being used or complaints from banks and law enforcement, it would not be necessary to issue this report.
Just a guess, but I'd say that only insurance companies, card clearance companies, and governments have a stake here, and they are the intended audience. They have the clout to ban resales, or at least to erect high barriers to resale involving certified wiping and refurbishment, which would help sales of new systems and create new opportunities for service charges.