I think just putting it on the companies is enough. If the fines are serious and can put your company out of business, and are enforced, then the companies themselves will probably work out processes for not doing stupid stuff. Whether that be creating some sort of certifications that would be prized by the companies, knowing to hire a specialized team for a security review, or anything else.

If everyone knows that messing up security gets you in real trouble and the company loses real money, and it happens all the time, and it's not just "Facebook fined $x million for doing shady stuff", then I think the industry will adapt.

Like when GDPR got released and no matter if I thought we are or are not handling PII, I had to read up and double-check my assumptions just because it was being talked about all over the place and it would be embarrassing to be caught with your pants down when you didn't actually intend to do a shady thing.