A big problem is that regulation tends to be pretty porous. Rather than curbing bad behaviour, it just adds, as you say, several layers of complexity on top of the bad behaviour. And the task of handling that extra complexity ends up on the desks of the working grunts keeping the system churning.
Like with GDPR, the regulation was to give people control of their data and make privacy by default an available option. But it's just given users more hoops to jump through before scooping up a user's data anyway.
Regulations tend to be a bit of a nudge in the right direction, but play out as something systems have to work against to keep things running the way they were before.
A second huge problem is that governments ... don't know how to do security. So they just mandate some random measures.
And then the problem is that people follow their measures ... and see this as absolving them of further responsibility. In many cases in the financial world that isn't just laziness: that's actually how the law works.
So much of the regulation burden doesn't just force the whole market into large companies, it actually opens up and legally mandates not security, but security holes.
Can you please provide a single case of high profile security breach that was caused solely by regulation? That must be easy if what you say about regulation opening holes is true.
Like with GDPR, the regulation was to give people control of their data and make privacy by default an available option. But it's just given users more hoops to jump through before scooping up a user's data anyway.
Regulations tend to be a bit of a nudge in the right direction, but play out as something systems have to work against to keep things running the way they were before.