Nobody is legally responsible, oops
First problem is one of liability and responsibility. Nobody feels responsible and all exclude any kind of liability.
If you buy a product, then any damages are limited to the "cost" of that product. But when McD offers a too hot nugget over the counter, then, oh boy,... the hot nugget just cost a fortune for McD.
Why this discrepancy? If you sell software/licenses, you should not be able to hide behind not-my-problem legalese. Please note that it says sell software/licenses, i.e. you profit from the product you sells. And in the end, the C-suite must be personally accountable and liable for cut corners and deviation from best practice. They are the responsible persons, regardless.
Second problem is that throwing money at security is not solving any problem. You need to address expertise and process. That means it takes time, lots of time, to develop. It also means focus on reliability and not on features and featurism.