This is GDPR infose stage 2 - denial
Stage one was - ignore it
Most major vendors I've run into in the last 12-24 months have successfully completed GDPR stage 1 which was to completely ignore the legislation and pretend nothing was happening. This allowed them to avoid any additional costs for development work that would have been needed to actually be compliant with GDPR.
Since most existing customers were already in contracts the ICO allowed these to continue under the old DPA, so as far as the vendors were concerned all was well.
We're now well into stage 2 - Now that those old DPA 1998 contract are expiring savvy customers are now asking difficult questions about product compliance with GDPR (DPA 2018). Since those vendors did fuck all in the years they should have been getting ready for GDPR and preparing for the post DPA 2018 world their products now look woefully inadequate in terms of security. However not to worry, especially if you are a near monopoly provider. Just deny the insecurity in your products, state it's secure 'enough' safe in the knowledge your customer has nowhere to go and the ICO is pretty likely to do bugger all unless you get hacked. If you do get hacked don't forget your handy "Dido Harding" phrase book - sophisticated hack, personal data is our top priority yadda yadda yadda.
Personally I'm keenly awaiting stage 3 -blind panic.
This will come after a couple of major hacks when ministers feel they have to get of their arses and pass the blame onto someone. The ICO will pick a few juicy targets to take tro court and fall out should make enough waves in the market that someone might actually open the coffers enough to get things brought up to minimum standards.
BTW if you are a vendor and relying on username and password to protect a web exposed system processing personal or special category data it really isn't fucking good enough, and a PIN sent via email is not "taking consideration of the state of the art" under Article 32 of the Regulation.
If you don't really know what MFA is stop trying to bullshit the people who do know, you just look stupid
And for this bucch of muppets "Melissa Kao, a director of Footfallcam Ltd, the firm behind Nurserycam, insisted to The Register that what infosec researchers had found was "legacy non-functional codes" [sic] that were "there to distract hackers" '. I really wish I was there to hear to say that crap to the ICO