Risk of identifying too few risks

ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence to the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.

As for the number of risks (please note that the word "scenarios" is more adequate when talking about business continuity), you mentioned, 200 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

These articles will provide you a further explanation about risk assessment and treatment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/