Narrowing down the list of risks

What is the best practice to group info Sec risks?

Answer: I assume you refer to our article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ - if you come up with 500 risks, this doesn't mean that you have to treat all of them - you will need to treat only unacceptable risks, and this is usually 10% or 20% of all the risks you have identified.

If you still want to reduce the number of risks, then I suggest to group similar assets into a single class of assets - e.g. you could group all the servers into a single class of assets, or your laptops, etc.

These materials explain in detail how to perform the risk assessment:
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

How do you suggest to aggregate and report to business owners so the risks are technical jargon free, etc.

Answer: You should present only the biggest (unacceptable) risks to your business owners/top management, and you can use small scenarios (in couple of sentences) - what could happen if such incident happens.

Here is a template which provides examples of scenarios, focused mainly on larger incidents: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/