The problem is more tricky than code fixes.

Many breaches are caused by social engineering. Others are caused by third, fourth or fifth parties. Some are caused by bugs in application libraries that we have no access to. And even the coding errors are frequently obscure, found by very motivated, resourceful and smart individuals (to compare, fire doesn't change tactics over the years, fire safety can be handled by static rules). Raising legal costs probably won't eliminate it, any more than attempting to eliminate automobile accidents raising punishments for those at fault.. Our own military and government agencies have been hacked, so I'm not sure they're in a position to define security.

Interestingly, the hotel hack appears to NOT have been a normal criminal activity. The account information has not appeared on the black market, nothing seems to have happened with the credit card information. The theory I've heard is that it appears the attackers were after passport and travel info which can be an opening for social engineering attacks on executives and government officials ("Hi, do you remember me, we met at the engnineering conference in Barcelona last month"). If that's true, this is a nation state job, operating at a level that most IT departments are not prepared to match.