The point is well made in an article on the Nuix blog called Insider threat: not just a cybersecurity issue. Its unspoken context is the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It barely mentions fines, focussing instead on the many other expenses which may follow from a cybersecurity breach, especially if the breach goes unnoticed for weeks or months.
Although both the incidence and level of fines seems to be increasing, the knock-on consequences can cost more. The Nuix article concentrates largely on the time and expense of enabling recovery and moving on to the steps needed to prevent a recurrence. The most benevolent regulator is unlikely to forgive a second incident which might have been prevented by remedying the causes of a first breach.
The actual costs of dealing with the regulator may be dwarfed by the costs of communicating with and retaining customers and clients. Does the company need investment, or borrowing, or a new non-executive director? None of these will come easily to a business which has suffered a breach but done nothing to fix the problem.