I think the most feasible solution is to make companies liable for damages, not in a light way but rather that every person can sue (or in a class action) for hefty amounts, so that a breach could cost e.g. 100mil+
that should incentivize them to actually invest some money in security. right now its just tiny numbers which are easier to just pay off and forget about
You'd have to deal with all of the binding arbitration agreements first.
That said, class action lawsuits also are part of the cost of business. Nothing is ever going to change unless the boards of directors (not CEOs) can be held liable for the behavior of the companies that they direct.
that should incentivize them to actually invest some money in security. right now its just tiny numbers which are easier to just pay off and forget about