This is unquestionably true, but it is an awful excuse to not enact any regulations. Honestly, what do people expect is the answer if the free market has already shown to fail to address this problem and we are ruling out regulation because is increases the barrier to entry?
"regulations could avoid security breaches anyway"
Translucent Databases 2nd Ed: Confusion, Misdirection, Randomness, Sharing, Authentication And Steganography To Defend Privacy http://a.co/c78Gij0
TL;DR: All demographic records are stored encrypted, are no longer retrievable if you lose the signing key. Think "proper password storage" extended to all things.
Bonus: Support for GDPR "right to be forgotten" for free. Just erase the key(s).
Edit: To be clear, I'm not saying anything about the necessity of any regulations. I'm just saying that when evaluating possible future regulations, viewing just in the light of incumbent/newcomer dynamics alone will give you absurd results.
Dow, having established cash flow and infrastructure, can trivially bear whatever these costs. These regulations were even created because Dow themselves (et al), somewhere in the middle of their life, optimized their profit by dumping in rivers.
You personally know the environmental harm and grave illegality  of improperly disposing of waste products, and your company is small enough that you can be sure everybody is of similar mind - you're focused on solving technical problems, having not yet been taken over by beancount-maximizers. But you still must pay the costs of the overbearing "compliance" paperwork designed around large amoral entities, perhaps even having to hire a dedicated government bureaucrat fresh out of law school. This is the gatekeeping-legislation dynamic people complain about.
 Which given your corporate size and lack of TBTF, would be a criminal penalty rather than a civil wrist slap.