That is also true for PoW and all known consensus algorithms

The challenge is to obtain a high attack cost. PoS attack costs are more difficult to calculate than PoW's. But they're not necessarily lower. Social engineering is not free.

I've got some ideas how to achieve a serious estimation for PoS (or any other weak-subjectivity-based algorithm with N@S problem) attack costs, taking into account, for example, the current cost of fake social media accounts, hacking of websites (e.g. block explorers), malware distribution and also the cost of shorting large parts of the currency. One could also fake a request for "old keys" (simulating to be an attacker) to get some numbers about how many people would accept such an offer and how much they would like to get paid.

Imo, in PoS currencies the security level (=attack cost) is much more dependant on a healthy ecosystem than for PoW currencies.