It's a matter of incentives
Companies, whether app vendors, cloud service providers, OS makers, or device manufacturers will never put constant ongoing attention into user privacy and security until they have a strong incentive to do so. The situation in the USA is particularly bad, but AFAIK it isn't that much better anywhere else.
Short of legislation that gives end users clear rights to monetary damages without the need to demonstrate financial harm, companies will continue to sacrifice privacy and security for other goals where they have clear incentives. I promise you, the moment that companies are exposed to risk of damages at a scale that threatens the profitability of their enterprise, we'll see an abrupt change in attitudes.
The problem, of course, if how to write such legislation that gives clarity to both companies and end-users what privacy and security is expected. Privacy actually seems a little easier to tackle to me, but certainly isn't easy in any absolute sense.