It is starting to happen but not as quickly as it should IMO.
The current fines and penalties are not big enough or severe enough to prompt said business owners to prioritise app-sec. With most traditional businesses, the decision is risk based on “Cost of Breach” vs “Cost of Fine” in most cases the cost of the fine is far less than cost of clean up.
The era of “Digital Transformation” plus a lot more “Digitally Savvy” clientele is slowly bringing about a shift in this mentality. The “cost of breach” now includes losing customers and the real potential of a business going under due to negative perceptions in the market.
From my experience, high profile incidents only cause short term panic and then it’s back to normal for most businesses. It’s always goes back to that “cost of breach” vs “fines”.
I do like how the governments world wide are starting to look at private business CyberSecurity as part of National Security. Lets see what impact this has on shifting security left.