Aren't the security issues just that session resumption makes it easier for a network adversary to identify users (in TLS 1.2), easier for the web server operator to recognize users even without cookies or device fingerprinting (in both TLS 1.2 and 1.3) and effectively a less aggressive session key expiry for forward secrecy properties (maybe in both or maybe just in TLS 1.2)?
If so, I'd say most sites and most users haven't worked out a threat model that's explicit enough to clearly justify worrying much about this, unfortunately.