[794CD01]

>businesses actually care quite a lot if their data leaks.

How are you coming to that conclusion? Companies may say they take security seriously and they want to avoid becoming the next Sony or Home Depot, but how many actually allocate resources accordingly? It's much more efficient to just issue a press release and offer to pay for credit monitoring services that virtually nobody will actually use.

[Joeboy]

To be fair this is HN and that's undoubtedly true of most startups. But from my experience large, established, boring companies spend a lot of money on covering themselves against this sort of thing. Or at least on CYA security rituals. If they have money to spend on security theatre, why not try to sell them something that actually works?

[794CD01]

I would speculate that it's because they are more concerned with checking boxes for their auditors or insurers than they are about the actual data. As for convincing the KPMGs of the world to take security seriously instead of calling for security theater, well, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it".