> Governments can stop a lot of those breaches if they applied financial and criminal (i.e. imprisonment) penalties to executives for failing to secure their systems

And how do you codify that? It’s possible to be breached when following best practices and doing everything right..

Of course, a supply-chain software company must have strong security and bear full responsibility for not having one.

However, in general I wouldn't be so fast to blame victims. Strong security isn't cheap nowadays and adds to cost of doing business. To make things worse, cyber-attacks become increasingly more sophisticated, so the "security tax" will only grow and fewer organizations will be able to afford it. That's why consolidation is inevitable - it will just become more economically reasonable to share the cost of cyber-defense.

Security is not cheap, in real terms. Also, security is not easy to understand even by the technically competent. It’s also boring AF. Processes and tools get impacted and it’s very hard to turn the metaphoric ship that is a business operation. I know it’s contrary to the tasty trend of blaming CEOs for everything, but IME this is not a CEO problem except in a relatively narrow sense. It’s a COO problem at least as much, and a problem whose resiliency is enforced by every manager up and down the line who doesn’t want somebody pissing in their corn flakes while they’re trying to spin five bowls of corn flakes on sticks (to mix metaphors). I’m gobsmacked by how many relatively young adults lack some basic skills at thinking systemically and this retards efforts as well - even conceiving of the motivations driving initiatives, a lack of threat awareness, etc.