Until jail/prison time is on the menu for C-level executives, mismanaging PII isn't a big deal. They pay a fine and mark it down as a cost of doing business. They've likely made a much bigger pile already will continue to do in the future from maintaining that list. Now, if lead monkeys were given a time-out and there was the possibility of company ending fines in the cases of the most gross negligence, perhaps data security would be more of a priority.
I know people that have gone through several levels of hell after their data had been leaked by a company they didn't have any direct business with. It's the nightmare that just keeps on giving and can take several years to get mostly cleared up although the lingering after affects carry on for much longer. Credit gets wrecked, retirement/bank accounts might be reinstated but not the interest they would have made, good stock buys negated and all sorts of other things that cost a person. There are so many layers of government that never seem to talk to each other, getting something cleaned up in one place can be unstuck again when another agency doesn't get the memo about the breach and it's back to fixing everything up again. Seeing it from the outside, I have to wonder if it would just be better to move to a new country and create a brand new identity than to try and fix up yours.