The way I read the article, the “worth millions” is the sum of the ransom demand.
The funny part is that the exploit is in the “smart” contract, ya know the thing that the blockchain keeps secure by forbidding any updates or patches.
You can in fact insure things that it is possible to steal. Cars, bikes, household posessions, you name it. It’s quite common.
In a highly simplified way: total risk of insuring from theft is roughly other-risks * theft-risk, so if theft risk is 0, it means that other risks, such as insanelly high risks in asset valuation are irrelevant to the total risk which will always end up as 0.
So it makes sense that being paid to insure that which cannot be stollen against theft is risk-free money quite independently of all else. (Of curse, if something has a non-zero probability - even if tiny - of being stolen none of that holds)
I think that’s the whole humourous point the previous poster was making: that which NFT promoters kept on telling us guarantees unique ownership which cannot be taken by others (and hence cannot be stollen) turns out that it can.