It seems reasonable not to operate a business that you can't operate according to minimum standards. For example, you wouldn't run a construction company without a properly trained builder on staff.
Does "properly trained" include training to build buildings that cannot be brought down or otherwise compromised by sustained targeted attacks using the latest tools available? Most homes can burnt down with $20 of gas and a lighter; should we consider the builders of those homes to be improperly trained?
Of course not, because that's the company's core competency. A better analogy is running a construction company without quarterly software security audits. Because if that list of clients along with contact info gets leaked, that could be a GDPR violation.