"IMHO, we make the criminals pay so heavily, make these actions state-level crimes"
In practice it would need to be a fully internationally recognised and punishable crime assuming the miscreants can even be identified. However I can't see European countries or the US etc getting any cooperation from China, Russia and North Korea to mention a few. From what I understand, North Korea actually has state sponsored units to steal international currency this way.
I agree with you about the wetware. A family member sent his staff on a security / anti-phishing course and a week later one of them fell for the telephone scam call from "Microsoft". The excuse being the Microsoft is one of their clients, but they basically allowed the scammers full access to their servers! Considering this was a firm of financial advisors handling many millions of pounds in investments for their clients it was very much an oh-shit moment.