Oh yes, "lessons have be learnt" and that lesson is that paying the fine is cheaper than securing their data.
Fines should be realistic and punitive, a minimum of £1 per user who has information compromised, doubling for any subsequent offences. After 3 such offences prison time should be an available penalty.