The letter is probably a "put up or shut up".
The problem BA have here is that they will be getting possibly thousands of irate emails and phone calls asking for gestures of goodwill. At some point they have to release the strain from their front-line agents, who are very constrained in what they can say to avoid implying liability. This will be stressful for agents and that will be being passed up the management chain.
At some point you have to say that exchanging informal communications is futile. People may think that the few K they put BA's way is a big deal, but it's nothing against the potential losses from the suit. People may think that a gesture of goodwill is inexpensive and good PR, but multiply that up by a few hundred thousand, and you have a significant balance sheet issue above and beyond the potential liability from GDPR and the class actions which will probably already have provisions. It ain't going to happen.
GDPR does have an escape clause where the breach is proven to be outside the control of the organisation. That is why BA are stressing that they are the victims. I'm sure that privately there are other views, but don't expect anything more than that line. Incidentally it seems unlikely this is a cost-cutting issue, access to one script seems to have been gained, and it looks to me like either laxity or malice on the access controls and review processes when an update went live.
I think there comes a point where reality has to set in and individuals move past this until the serious issues are resolved. Join the class action by all means - these are designed to benefit the lawyers rather than individuals, but there may be something back - but if you are requesting compensation individually you need to be very clear on what it is you want compensating and why, and be prepared to come back with a lawyer. BA are making it clear that they will defend such cases, and this is reasonable because it's a dangerous distraction. This is commercial reality. If you are going to suggest that the breach caused a burglary or more than what is possible with the data acknowledged to have been lost (and there was a great deal of external analysis pointing to a scrape of the payment screen which has particular and well defined data on), then you will need more than "well, they lost my data once, so who's to say they didn't lose more than they say?" You'll need forensic security experts to prove it.
Let's be clear - I was as annoyed as anyone by the breach, which happened when I was in Amsterdam leaving for the Far East. I spent considerable time checking cards and the effects and understanding what the possible impact was by reading the reports of the various groups that had investigated the breach externally. And then I followed instructions and did what Amex told me to do (which was nothing). It cost me quite a bit of time and effort on lounge wifi in transit which I'd rather have used drinking fizz. Do I think I deserve a gesture? Yes, probably, it would be lovely to get an apology and a chunk of Avios. Do I think I'll get one? See above. Does it worry me? Not unduly, I'll join the class action and wait and see what happens.