> I think just putting it on the companies is enough. If the fines are serious and can put your company out of business

They don't care. It's either never enough to make them care, or the company can just bankrupt and you go do something else.

If you or your manager has the threat of jail in the back of their mind, it's no longer just someone else's money being lost, it's personal.

> If everyone knows that messing up security gets you in real trouble and the company loses real money

There's already huge fines on paper for this, but never ever are the fines enough. It's always factored in the "cost of doing business". Also it's still someone else's money, why would an engineer care?

Please show me a GDPR fine that hit hard enough to scare companies into not fucking up? Evidently here it was not enough for Fiverr.

Edit: Just to provide an example, Takata airbags have been recalled massively (if you don't know why, look it up) but the company is now bankrupted and who is footing the bill? Their customers.

You cannot impose a fine on them, as it's bankrupt (now, but it was always the plan). They deliberately sold dangerous airbags and now what can you do so it doesn't happen again? Fine them some more? or maybe throw a few execs in jail because they knew of the problem and continued as usual.