So maybe altogether 2-3 mil. is accurate.
It's closer to 4 million vulnerable coins, according to this study:
https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.htmlIt was done around 2 years ago, but you can see from the graph halfway down the page that the number has fluctuated around the 4 million mark for ~8 years, so I suspect it is still around the same. P2PK outputs are essentially constant and unchanging, while reused P2PKH addresses have slowly fallen as reused P2WPKH addresses have slowly increased. And of course we can now add in P2TR outputs as well.
My logic is that if something is considered vulnerable then it must be removed from the Bitcoin protocol. For example if OP_CAT has a weakness then it is removed from the code entirely even if someone had used it in a script. Which is exactly what happened, this OP code and a handful of others were completely removed.
Similarly if OP_CHECKSIG becomes vulnerable then it must be removed from the code not still remain there and let people choose to use it or not!
This is the most convincing argument for the opposite position to mine, I think. But it is worth pointing out that nobody's coins were made unspendable when OP_CAT was removed, compared to the millions of coins which would be made unspendable if OP_CHECKSIG is removed.