The govt shouldn't mandate what exact steps companies must take to be secure, because as you say it's woefully behind the time usually. But it should heavily punish security failures. Companies can choose whatever method they want to keep customer data safe, but if they fail there will be hell to pay. That would be the ideal system as far as I can see
