Depends where they are in the world. I _think_ GDPR would be a good enough business reason, as they set a ticking clock of 72 hours from the breach to notifying individuals who are in the breach. And the fines involved are pretty steep (almost effing vertical for some).

A minor problem with GDPR is enforcement.

At least in germany it feels like you need a very dedicated and persistent person to make the case against a company/service (bonus points if they get media attention). Other countries are a bit better but it generally is not very consistent.

The enforcement for most small to mid-sized companies is often just not present and resources for relevant agencies are often only reluctantly allocated. Ime, in government institutions it is generally not very respected as it "impedes progress".