Personally I rather think the penalties should be phrased as:
1) 100% of all bonuses, income enhancements for the responsible corporate Directors, VPs, and C suite residents, and the entirety of BOD salaries or bonuses *possibly* payable in the year in which the offence occurs, to be payed to the fining authority by the responsible executives and the BOD.
2) 25% of corporate *revenue* for the year in which the offence occurred, to be paid to the fining authority by the corporation.
phrased such as a judge would have some discretion in cases where the entity would be able to provide substantiation of their finances in great detail and have the fine reduced if it was clearly likely to cause the business to fold.
This may seem brutal, but it would provide direct focus on systems security. It would beat the crap out of small businesses, and would force large corporates to consider their actions much more carefully. Possibly making the execs aware of their role in causing these things to happen. Especially if this was universal and these globals could be hit in *numerous* jurisdictions.