There's also the proportionality clauses to consider. The law explicitly states that the penalty should be proportionate, so that small companies aren't hit with huge fines.
The fines are supposed to be proportional. Everyone has latched on to the $40mm clause, and decided that anyone in breach of GDPR rules is going to be fined millions of dollars.