@filippo Both algorithms have not been extensively tested and analysed. It could be a significant higher risk that they are broken on classical computers than there is a quantum computer that can do what it stated by the papers. Instead of having quantum computer validating this risk in practice they only work on artificial irrelevant problems (not actually trying to break keys). It would be good to see some real case (even small) where they try do it - this would help to understand the risk.

@filippo Quote from a paper that you cite: ", our most
time-efficient architectures can potentially enable run-
times of 10 days for ECC–256 with ≈ 26,000 qubits, and
97 days for RSA–2048 with ≈ 102,000 qubits"
This is for one key! If all "substantial engineering challenges" are solved.
It was not the scope of your post, but a broader assessment at Confidentiality, Integrity, Availability risks with some concrete estimations would help (which is maybe more a job for a IT Security Risk Manager).

@filippo Cryptographic experts might be confident in the security of lattice, but I would be not confident in their secure implementation. It took decades to get the implementation right for classical algorithms and they are still often wrongly implemented. This is a big security problem.

@jornfranke I am a cryptography engineer so I can tell you from experience: no, ML-KEM and ML-DSA are easier to implement and easier to test than all their classical alternatives.