[hrishi]

The biggest issue IMO is that most software begins as a startup, and despite becoming big companies later, the startup mindset and habits don't really change.

Before product-market fit, you don't really know what data you need and what data you'll need. You can't go back in time to collect data, you need to do it now if there's a chance it will be useful later. In a pre-seed company (or even at seed), you don't have the resources to audit every package much less get SLAs in place. Most companies I know do the bare minimum for GDPR, and it's not a lack of care for the user, but that often it's not the best place to deploy resources when considering the survival of a company.

Most software starts out being assembled in flight with multiple changes in destination - and those habits stick.