This is just the new "no one gets fired for using IBM".

We need actual liability laws for compute services at this point, and they should pass through every entity between the bits on disk and the end user.

Google disappears someone's realtor's corporate email, and it cost the agent a $100K real estate commission? Google and the employer get to pay $50K, plus damages to the customer.

Or whatever. The point is not that they'd be paying lots of these fines. The point is the cost of non-compliance and insecure setups is 1000x the cost of just doing their jobs. At that point, the bean counters would allocate another 10% to engineering, and all the easily-solved problems would disappear.