Well, client-side attacks are great because they typically rely on the naivete or indifference of the user. And the client-side attack surface is typically protected to a lesser degree than a server. A well orchestrated spearfishing attack is tough to defend against, even for a security conscious user. The attack surface is just so large.
However, the meat on the bones is really on the servers. If someone pops my desktop at work, they won't find much valuable data. But they will be able to keylog me, grab admin password hashes, arp-spoof etc. Still, no data. But what they will get enables them to access our company files and databases in short order.
In essence, client-side attacks in the corporate world are definitely targeted at server data, while in the consumer world, they're targeted towards identity theft or botnet creation.
This is the gov world though, where the interesting information is things like your address book, your emails (the content as well as the senders/recipients), your private keys and passwords, etc. etc. Client sides provide direct access to those things (or at least, a means of obtaining them).
There are very few governments that care about what is on your company file server or in your company databases. (Ignoring the elephant in the room on that one.)
Law enforcement agencies keep huge Access databases of the contacts they extract from cell phones taken from criminals. They share this intel with each other via email (I know, I know...). They can discover a great deal about who is involved in an activity and where they are on the totem pole from just this data. Its even possible to identify people by correlating the content of the "name" field and using the phone number is a unique ID. Criminals tend to have poor OPSEC.
I don't think it's safe to assume that government simply means spying on individuals for national security reasons. Governments engage in corporate espionage all the time, and not just China.
However, the meat on the bones is really on the servers. If someone pops my desktop at work, they won't find much valuable data. But they will be able to keylog me, grab admin password hashes, arp-spoof etc. Still, no data. But what they will get enables them to access our company files and databases in short order.
In essence, client-side attacks in the corporate world are definitely targeted at server data, while in the consumer world, they're targeted towards identity theft or botnet creation.