PCI DSS is NOT a joke
I believe those retailers that have lost data have agreed to cover the [customers|banks] losses and the cost of credit monitoring; The alternative is to have card facilities withdrawn, which would have crippled them.*
That's a threat with teeth, and it's neither necessary nor desirable for Government to be involved.
You're right that there are still many bad practices and that self-certification hasn't eliminated those practices. Any IT manager that ignores those problems is putting their career and their organisation at risk.
* IMHO, any merchant that stores the CVV2 code in flagrant violation of the PCI DSS rules should have this sanction applied no matter what the excuse.