My guess is that they only get serious about security after a breach occurs.
You can view it all as strengthening an immune system. Without attacks, and the occasional successful ones, nobody is going to bother to harden anything.
Is that like how the banks all got serious about evaluating their risk carefully after the first time [1] they saw their models, and consequently their liquidity, evaporate?
Obviously I agree about your dissatisfaction with the other proposed solution: that just lets corporate entities put a low (10%) ceiling on what should be unlimited liability, allowing them to say that failing catastrophically by utter neglect to security is reliably a survivable offense (I recognize that in reality the liability of course ends at the dissolution of the corporation.)
I don’t think the analogy applies. We are humans, capable of observing the failures of others and making rational decisions to avoid those same failures. The immune system is programmed to react one specific way. For example, we can choose or choose not to go out of our way to get vaccinated. If someone doesn’t get vaccinated and infects a dozen other people and then get really sick themselves, it’s hard for me to have sympathy. Unfortunately here, when there’s an illness, millions of people have private information leaked. This should simply be an unacceptable.
My guess is that they only get serious about security after a breach occurs.
You can view it all as strengthening an immune system. Without attacks, and the occasional successful ones, nobody is going to bother to harden anything.