Is there any evidence that low-level people have been targeted, or is this just speculation around what could happen?

Yes, "evidence for a secret program" is a bit tricky to produce, but the one I know of - Doe v. Ashcroft - the president of the company was compelled to produce data. I'd be very surprised if this wasn't the universal approach.

This sounds scary, but unlikely. Do you have a source that this tactic is used and effective?

My immediate reaction to such a letter would be to contact the company legal department regardless of whether the letter said not to, simply because I'd assume unless given very good evidence (and originating from a .gov domain isn't good enough) that it was a scam.

Edit: According to the EFF you can talk to an attorney about an NSL.

https://www.eff.org/issues/national-security-letters/faq#24

I would not suggest taking legal advice from the EFF. You might as well contact the sovereign citizen movement at that point.

Letters can be intercepted, letters have tracking, letters of this magnitude will require certification, and at the very least will require a courier. All of that assumes the letter can be delivered, and also assumes that the recipient believes that the letter is authentic. If I sent you an authentic looking NSA letter, would you just do what you're told? Fat chance...

An email/phone call to a legal department is much less work and provides all the same protections.

I didn't consider that, but it aligns with my experience as well. From a C-Level perspective that is probably desirable as they don't want to get involved with that sort of thing in the first place.