Rules are simple really - if you can identify me, you must provide a way for me to tell me what you know about me and to stop tracking me for any purpose at my discretion. Is it much to ask for?
If that's all it was, it would be easy. The problem is that GDPR compliance is a negotiation with lawyers and an ongoing threat of lawsuits for any precieved misstep. It means maintaining a legal entity (your Data Privacy Officer) who either reviews everything or who sets internal policies (both approaches have risks). For some companies it is worth it. For some it is not.
The lawsuits are mostly initiated by “ambulance chasers” and for that reason most of them will fail.
Also the data protection authorities are there for guidance too, not just for giving fines. You don’t need to hire lawyers, you can just contact your local DPA. And if you do that, and take steps to be compliant, you’re acting in good faith.
Fact of the matter is most publishers are not compliant because most publishers use bidding exchanges and the bidding exchanges currently leak user data in a way that cannot be GDPR-compliant, even with user consent.
But in such a case it is naive to blame the GDPR. We are talking about an entire industry built on profiling users based on leaked data and that needs to change.