For example: they keep referring to "sensitive data", by which they probably mean Article 9 data , ie: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.
That's only a subset of GDPR data, and in my personal experience, rather the exception than the norm. The norm doesn't seem to be discussed at all.
The UK's ICO Guide  is a much better guide.
I've seen a bunch of similar articles, and it's the lawyer approach to GDPR and data protection in general. They attack the problem from the angle that you want to continue doing what you've always been doing, while staying within the law. What's the same approach sites that just block the EU has opted for, they don't particularly care to reevaluate their usage of their users data.
The links you've added are very good and I would include the ICO's self-assessment toolkit, which is a useful guide:
"The new rules were developed in response to a dramatic
increase in cyber attacks and are aimed at combating such
attacks through the cooperation of state and commercial
enterprises and organizations."
Is this true? I mean does GDPR punishes for breaches or does it punishes for not following GDPR rules? I mean you can get hacked regardless of obeying GDPR or not.
Alright, they could have been fined for not reporting breach - yeah.