Many technologists fail to appreciate that security is not something which businesses want to provide at all margins. (Consumers are similar; they're unwilling to literally or figuratively pay for security at all margins, too.)
That axiom is trivially false; customers are routinely compensated (via indemnification) for security incidents. The argument over Equifax is whether they should additionally be paid for preemptive defense or in excess of realized monetary damages.