"I think the fine is reasonable as Knuddels apparently copped a mea culpa and fixed the problem"
Those are factors to take into account. But at some point the message needs to get across that you can't just wander into setting up a site with no knowledge that you need to secure it, or maybe no knowledge of whether the people you entrusted to do that actually did so. If people can get away with saying sorry and fixing it after the event they will, and that doesn't undo the damage that might have been caused. From this event it's probably 800k people who need to change their email addresses with all the inconvenience that causes to get off spam lists and maybe a few of those will lose money getting scammed along the way. Repeat for every business that hasn't got the message yet.