Who exactly makes the decision?....who sets the bar where this has/is happened ?
For the sake of discussion, the answer to that question is 'a judge and jury', perhaps...
There probably should be a minimal security level required for businesses that store personal and private information. We require all sorts of other things, from worker safety to HIPPA (here in the US - but your country likely has something similar).
As for victim blaming, there's a 'reasonable personhood' (or business-hood, I guess) for judgement. In many court cases, the result isn't black and white. The courts may find that both parties share some responsibility to various percentages.
If you're openly wearing expensive jewelry and flashing cash, you probably should not then go into dark alleys. Sure, it's the criminal who robs you and they deserve to be held accountable - but you're darned idiot for doing so.
Some places now charge if they have to rescue you. If you go climb a mountain without the right gear and get stuck up there - you just might be paying for all (or part) of your rescue costs.
I am perfectly okay with that...
This is a similar principle, I suppose...
Now, what would those laws look like? Well, I guess they'd have to be sort of generic and have to change with the times. A court can easily judge (with the help of friends to the court - experts in the field) a case like this. The key terms could be 'to a reasonable standard' or similar.
I go to great lengths to protect any personal data I save. People have chosen to trust me with that data. I'm not a business in this sense but I'd be mortified to violate that trust.