Re: "Except it would had cost money to do so. Money not spent = profit."
The root cause?
IMHO it ought to be the basis of any fine: make the fine many, many times more than the expense of doing it properly, of course retrospectively applied and aggregated. It's the only way I can see this become a concern for those taking the decision as it hits them in their pocket.
Further, make security audits mandatory as well as their publication for big organisations after, say, a 3 month period to fix the problems found, with an extra 3 month wait extension only available via a rigorous exception process to filter out the usual excuses.