> All these endless data breaches could be reduced if we fixed the incentives, but that's difficult.

EU fixed the incentives with GPRS and DORA, that was the easy part. In theory company that doesn't follow "secure by design" will end up bankrupt by (revenue dependent) fines. In practice the enforcement is lack luster, courts are lenient and international cases take ages, even if both countries are in EU.