There is probably a solution for reused addresses if they are a part of HD wallets so the problem might be "just" with very old P2PK and reused addresses from non-HD wallets. That is currently at least 2 mil. coins but not all of them are lost. The breaking process will probably not be so fast as o_e_l_e_o pointed out, at least in the beginning (and if ever, of course). The economical effect could really be similar to mining. If we look at exchange inflows for the last couple of days the amount of coins changing hands is huge (and still survivable). If BTC can survive such scenario without need to lock the coins (or lock but introduce a way to claim them by ZKP) it would be good.

There is a quote from Adam Back's tweet:

also I think (fairly new thought) that HD keys that were reused could be soft-forked to require a Zero Knowledge proof of knowledge of the chain code and master even if the coin private key was public information. (and soft-fork made not be spendable with direct ECDSA.).

-----

Of course there is a problem that chain code / master is sometimes known by the wallet providers, etc. And the issue with P2PK and non-HD coins still persists. But at the same time I suppose this claiming process will not be used so much because every rational person would move their coins way long before they become vulnerable. But the option to move coins even when ECDSA is no longer supported would be nice.

Or ECDSA/Schnorr will be phased-out much sooner before they become vulnerable (e.g. a couple of decades) and when we get to the situation of a quantum computer attacking the old coins the consensus for locking the old outputs will be much easier to reach.