The only reason these persist is because companies pay out and they can receive it in untraceable crypto currency in countries that are nearly to prosecute them in.
You make it sound like a simplistic game with set rules. There will be myriads of other reasons to breach companies, and even strictly sticking to the money part, doing ransom/extortion can have secondary and tertiary effects worth enough to do it even if the ransom fails.
If you look at it as a market, the victim is only one actor among many.
The only factor that matters is the adversaries residing in a jurisdiction with a lack of enforcement.