Guy in IT sec recently: some companies reduced their yearly pentesting budget and spend the money on a GDPR paper trail instead. Compliance on paper more important than actual IT security.
This shows that they consider GDPR fine possible, thus making it a more worthwhile risk. There risk of penalties from cyber attack unpreparedness is essentially zero.