That is the last thing business wants. The credit card brands developed PCI to avoid regulation. But in most circumstances, there is no 800 pound gorilla to enforce security standards.
If you do an in-depth read of the PCI security standards, you’ll see that the standards are about protecting the card brands, not you.
PCI is a very bad example because when it comes to card fraud the liability is on the merchant, bank or card networks. So in that sense it's actually normal that PCI focuses on protecting card brands and not you because you are already protected by them and they're just trying to recoup the costs.
Neither does GDPR compliance but here in EU I know some companies who're real nervous of being fined, while at the same time doing their best to comply.
Fines would therefore be the obvious solution to the lack of cybersecurity. Network breach / data leak due to not patching software x days after vuln disclosure? Here's your fine!
Unfortunately, most of the alphabet soup compliance programs have perverse incentives - they encourage ticking check-boxes, while do nothing to improve the security as such.
I believe the real problem is effective security is hard, and most merely want to pretend than actually invest in doing it.
Well, maybe more checklists and consultants.