Companies have little direct motivation to have good security practices, they're only motivated to manage their reputation. Any attention they pay to security is only a side-effect of caring about reputation management.
And as we've learned from significant breaches, there is rarely a reputational hit for even the biggest breaches. Anyone remember that time Target accidentally doxxed 70 million people? I don't think there was any noticeable difference in their income or profits.
No one cared.
loading story #42797885
And ultimately, the only reason they care about their reputation is because it affects their profits. For-profit companies optimize for profits, as always :)
So the mom-and-pop donut shop on the corner always optimizes for profits? The local donut shop?
Most companies do not actually optimize for profit. If they did they'd stop whatever it is they are currently doing and switch to whatever industry makes the most profit. They don't though, they keep making/doing whatever it is they start with generally. That means they aren't actually optimizing for profit.
loading story #42796300
loading story #42796115
loading story #42796001
loading story #42796267
loading story #42796551
loading story #42796336
loading story #42796160
loading story #42796089
Companies do have a motivation to have good security practices (and disclosure), because they are motivated by their reputation which is essential for customers to trust them to be customers, even more with the proliferation of SaaS means more longterm relationships and customer data.
The challenge is for customers and companies to communicate and agree to the new social contract.