But there’s plenty of evidence suggesting you would be wrong. The biggest fines under GDPR have been for Meta, Amazon, TikTok, Uber, LinkedIn.
Even outside of tech you don’t have to look too far down the list to find H&M, British Airways, Marriott Hotels, Vodafone…
https://www.enforcementtracker.com
This example specifically refers to failure to adequately secure systems against unauthorised use: https://www.enforcementtracker.com/ETid-2306
This one is even closer to what you’re saying—Vodafone didn’t do enough to monitor third parties working for them: https://www.enforcementtracker.com/ETid-2646