Sometimes the harm is severe. Vast oceans of poorly handled personal data collected in exquisite and unnecessary detail by dark patterns, copied around to everyone who might be interested with low regard for security, kept forever, analysed by the best algorithms and sold to whomever will buy it, raise the risks and consequences of identity theft and fraud for everyone.
Those are the sorts of things GDPR is designed to limit.
The GDPR isn't about cookies or websites. It applies to non-web-based businesses too. It's basically just insisting on security best practices in every part of a business that handles personally identifying or sensitive data.
Limiting its collection to what is necessary and consented to, deleting or anonymising it when it's no longer required, respecting wishes of the individuals the data, and giving people some confidence that security best practice is taken seriously.
Now, they tend to continue to use meta's products because they have become essential communication tools for those people, so in fact, many people would welcome regulation that allows them to continue to use key communication tools without the sleazy privacy violations they weren't aware of.
I'm not the one deciding.
I said some of the harms are severe. Not everything. It refers to things like people losing their online accounts, having their bank account drained, their credit rating ruined, private photos shared, passwords changed or published, losing files to ransomware, all as an indirect result of poorly handled data collection resulting in identity theft and similar.
I'm pretty sure most people affected by those things do consider them severe, and that many people upon learning about those things also consider them quite severe, even if they didn't care before they learned.
If most of those people consider those things severe, that's enough to call them severe.
You don't need my opinion for that.