Basic statistics. The chance of someone from Netherlands being a state-level hacker is a lot smaller than someone from a Russian IP.

Logically, if Russians would want to infiltrate your organization, they won't do it from Russian IPs directly, but instead do it from cheap proxies, and those proxies are abundant in Netherlands or Germany.

And yet experience shows that GP is correct. The vast majority of mailicious traffic originates from those countries IME.

Only stuff like scanners and other basic stuff (that comes from devices that have been left unattended and without updates). But the actual malicious traffic is not that easy to spot, as it won't be router directly.