Still not enough
Many companies use the same "good enough to lower fines" algorithm as banks and, given that they're managed to maximise profit that is sort of understandable.
Until the fines exceed the cost of doing it right regarding IT security by at least 100%, this is not going to change. That's a bit like fining Facebook/Meta/whatever $1M for privacy violations: that's a rounding error in their books, not a reason to change anything.
Biting the hand that feeds IT
