Especially for something like technology and infosec which rapidly changes, it’s silly to look to slow moving regulations as a solution, not to mention ignoring history and gambling politicians will do it competently and it won’t have negative side effects like distracting teams from doing real work that’d actually help.
You can make fines and consequences after the fact for blatant security failures as incentives but inventing a new “compliance” checklist of requirements is going to be out of date by the time it’s widely adopted and most companies do the bare minimum bullshit to pass these checklists.
There are so many english centric assumptions here.
Regulation of liability can be very generic and broad, with open standards that dont need to be updated.
Case in point: Most of continental Europe still uses Napoleon's code civile to prescribe how and when private parties are liable. This is more than 150 years old.
The real issue is that most Americans are stuck with an old English regulatory system, which for fear of overreach was never modernized.
This can be true of security (and every other expense) whether it's regulated or not. Which do you think will result in fewer incidents: the regulated bare minimum, or the unregulated base minimum?
You can make fines and consequences after the fact for blatant security failures as incentives but inventing a new “compliance” checklist of requirements is going to be out of date by the time it’s widely adopted and most companies do the bare minimum bullshit to pass these checklists.