Mainly b/c there are no real downsides/penalties to leaking data (or PII) - you say "sorry" and just move on. Sometimes with an increased stock price - see Equifax :(
Depends on the industry. In some heavily-regulated industries, there are huge fines at stake for leaking information.
Look at healthcare. If information leaks, it has to be reported to the feds within 24 hours of initial discovery. Not C-level finding out, but whatever low-level employee finds it. Even if it's one person. If it's more than around 10 people, there's a federal requirement to report it to the local media.
I used to work specifically in the healthcare space doing cleanup work for companies that had been recently breached. I think "huge fines" is quite an overstatement. The largest HIPAA fine in history for a data breach was for the Anthem hack, which was a leak of ~80 million records and Anthem was fined $115 million. That's no small number, but at the end of the day it's still only less than 5% of their yearly net income. And Anthem is a huge outlier: the second largest HIPAA fine in history was only ~$6 million. It's not exactly a huge deterrent for companies that want to ignore security.
In terms of the public exposure, you'd probably be surprised at how many healthcare insurers/providers have data breaches but you never hear about them because these companies know how/when to report it so that it ends up nothing more than a footnote on the back page of the local paper.
