This is regulated. And there are penalties for violating those regulations. But it’s just not enough. Even a class action lawsuit won’t help the victims. Most of that money goes to lawyers.
Honestly, I don’t expect any of it to change until the penalties are so severe that major companies go under. Aka a corporate death penalty (which the US used to have). But even then, good software security is extremely hard. Almost everyone screws up something.