Like you hint at Publish your TM. 
It’s usually one of the three causes: unlikely (strong pre conditions) / low impact (weak post conditions) / already defended.
When I teach “what would ruin a day at the beach” toy example, I sometimes get 
shark attack or 
Tsunami. Yes, that would really suck. But we will most likely have a great day at the beach without Tsunami when we just accept. Same with technical risks, some of which are ridiculous.
Threats with strong preconditions are another case. Let’s give an example: Apps usually have high impact threats after account takeover or server takeover. We may mitigate for additional harm reduction. But those takeovers’ protect / detect / respond should have been considered anyway and hopefully been made unlikely. So account / server takeover defense may already be sufficient defense for those follow-up threats.