Most of the time it is just cheaper to pay the fine rather than practice good security. I recently read about a health organization that had a million records compromised. They were fined $3.5 million, so about $3.50 a record. Alot of companies figure it is better to just take the chance and even if you do get hacked it is still cost less than having a good security program.
That's often the case. Same thing with credit cards. Cheaper to pay for bad transactions than to pay for better security in the cards.
Yeah. These companies get rewarded for not having security. Just because you have terrible security, doesnt mean you will get breached either. How many are flying under the radar that we don't know about?
No the bigger question is, how many have been breached that they aren't aware of it, and the effects are low enough that it's not tripping any alarms?
Any good breach will be that way - no one knows except that data is out there, somewhere.