I think it would be reasonable to have a law that says you need to have X level of security for certain information. Then it would be criminal to provide less than that level of security, especially just to save money. I just think it would have to somehow have exemptions for honest mistakes, and clever attackers.
The problem with that is the devil is in the details and it fails to account for changes properly in technology and excludes far better alternatives.
Say for instance there is a requirement that there must be DES encryption of passwords. That would be a downright terrible law on several levels - first of which is that the best way to secure passwords is not keeping them in the first place but a hash. The encryption standard is as laughable now as requiring banks lock their vaults with a simple warded lock - the kind where skeleton keys work because shaving the teeth from the key means it no longer has anything to catch on while it turns the lock.
