The directors take great pains to remove their liability for misdeeds. They act in broad: one step removed. Pinning the blame on them would be like trying to pin the tail on a runaway donkey.
There are established mechanisms to deal with that: for example you can use the Health and Safety at Work Act as a template in that regard. Directors are personally (and criminally) liable for any breaches of the act within their company. They can't wriggle out of it and transfer the responsibility on to someone else, in fact attempting to do so is itself evidence of guilt.
However, it doesn't matter what they do, in any company of a few thousand people there is always going to be plenty of stuff going on that the directors are completely unaware of: if two junior staff decide by themselves to develop a "more efficient" way of work that is unsafe management do not necessarily hear about it until it is too late. Their only effective defence in such a case is to point to procedures they have in place: for example that safe working practices have been determined and staff have been trained in their use, that relevant equipment is provided and in appropriate condition, that regular health and safety audits are carried out, and there is a well defined whistle-blowing mechanism to raise issues that still crop up. If you can show all this the courts take a reasonable view - you did everything practical to ensure the workplace was safe but shit happens, therefore no guilt attaches to you as a result of this accident.
There is no reason in principle data protection could not be similar. I'm not entirely convinced about criminal liability - calling for that to me always sounds like vindictiveness after the event, and putting too much control at the very top is also putting that control into the hands of non-specialists - but I'll leave that to one side. I think (hope) this is the point the ICO are trying to make - the fact there is a breach should not necessarily lead to a sanction. If there was gross negligence and sloppy practices then sure, fine them and fine heavily. If on the other hand you can point to solid procedures in place to protect data and that they are subject to regular review to keep them current, but still have a breach falling in to the "shit happens" category, perhaps that should be viewed as an opportunity for review as to how defences can be improved in future.